Bug#249074: [Logcheck-devel] Bug#249074: logcheck: can't get line to be ignored (user error?)

[maks attems]

On Fri, 14 May 2004, David M. Dowdle wrote:

> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by http
> 
> note that last line was added by me. logcheck is running a "server" level

aboves regex is pretty generic, 
one shouldn't use '.*' without very good reason and
every rule should end with an '$'.
 
 
> clouded:/etc/logcheck/ignore.d.server# tail -40 /var/log/mail/mail.log |egrep "^\w{3} [ :0-9]{11} 
> [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]: .* 550Blocked by http"
> May 14 13:42:07 clouded sm-mta[14648]: ruleset=check_relay, arg1=65-57-173-243.forestsavers.com, 
> arg2=65.57.173.243, relay=65-57-173-243.forestsavers.com [65.57.173.243], reject=553 5.3.0 550Blocked by 
> http://www.stearns.org/sa-blacklist/
> [..]
> my regex appears to function, but these lines still show up in logcheck's security emails (not violations).

well the sections were renamed, we haven't yet reordered the dirs,
but aboves message should be reported under "Security Events" not
"System Events".

your best bet for ignoring such messages is to put your rule
in violations.ignore.d in a file named 'local-sendmail'.

anyways thanks for your bugreport and the helpfull log messages,
we doublecheck tomorrow and will add an rule for aboves loglines
for next release.
a++ maks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040515/8dce6d38/attachment.pgp