Rule Submission
A large percentage of our rulefile updates come from our users, and testing/verifying each set can become tedious. We therefore request that submissions follow these guidelines:
- When sending a patch, please send a diff against the code in the Git
repository, ideally by following these guidelines.
Rules should not include .* or .+ unless absolutely necessary
- Be as specific as possible!
Prefer classes like [[:alpha:]] and [[:digit:]] to simple [A-Z]-like constructs.
Rules must start with ^ and end with $. A good template is: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ <daemonname>\[[[:digit:]]+\]: <message>$
- Please include the relevant lines from your logs. Also mention whether they show up as system events or security events/alerts.
Sending a patch in addition is better than just your log lines (don't forget the log lines).
Mail these changes to logcheck-devel@lists.alioth.debian.org or submit as a bug in the Debian BTS (preferred; please don't put unrelated rules/filters into a single bug).
You may also be interested in DevelTipsTricks