[Logcheck-devel] dovecot message coming through filters
maximilian attems
maks at sternwelten.at
Thu Jul 6 10:20:02 UTC 2006
On Thu, Jul 06, 2006 at 11:02:25AM +0200, martin f krafft wrote:
> Okay, this confuses the hell out of me:
>
> [System Events]
> Jul 6 10:48:23 seamus dovecot: pop3-login: Login: user=<madduck at belligerence.net>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, TLS
>
> and here's the filter in ignore.d.server:
>
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$
>
> Also:
>
> seamus:~> echo "Jul 6 10:48:23 seamus dovecot: pop3-login: Login: user=<madduck at belligerence.net>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, TLS" | egrep -c "^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$"
> 1
indeed rule seems good.
> Yet, for every POP3 (or IMAP) login, I get a logcheck mail. What's
> going on?
did you check that the permissions of your rule file is ok?
does it get sourced when you run logcheck in debug mode.
--
maks
More information about the Logcheck-devel
mailing list