[Logcheck-users] ignore.d.server rule not working?
Jon Foreman
JForeman@npr.org
Tue, 19 Apr 2005 12:10:48 -0400
I'm running logcheck on Debian and it seems that a rule I have set in
/etc/logcheck/ignore.d.server/postfix isn't working. When I test the
rule on /var/log/syslog, I see a match. However, logcheck still sends me
a report nonetheless.
Are there certain circumstances where rules in ignore.d.server would be
ignored?
Here is the rule in question:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]:.* Recipient
address rejected: Domain not found \(in reply to RCPT TO command\)\)
Yet I'm still receiving messages from logcheck like so:
Security Events
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
Apr 19 08:48:44 mercury4 postfix/smtp[9758]: C9F75660034:
to=3D<carol.lakey.hess@stanfordalumni.orgi>,
orig_to=3D<carol.lakey.hess@stanfordalumni.orgi.>,
relay=3Dmta.npr.org[172.16.10.176], delay=3D56757, status=3Ddeferred =
(host
mta.npr.org[172.16.10.176] said: 450
<carol.lakey.hess@stanfordalumni.orgi>: Recipient address rejected:
Domain not found (in reply to RCPT TO command))
Here is proof that my rule is matching such entries from
/var/log/syslog:
prompt: egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+
postfix/smtp\[[0-9]+\]:.* Recipient address rejected: Domain not found
\(in reply to RCPT TO command\)\)" /var/log/syslog | grep carol.lakey |
grep 08:48
Apr 19 08:48:44 mercury4 postfix/smtp[9758]: C9F75660034:
to=3D<carol.lakey.hess@stanfordalumni.orgi>,
orig_to=3D<carol.lakey.hess@stanfordalumni.orgi.>,
relay=3Dmailtransfer.npr.org[172.16.10.176], delay=3D56757, =
status=3Ddeferred
(host mailtransfer.npr.org[172.16.10.176] said: 450
<carol.lakey.hess@stanfordalumni.orgi>: Recipient address rejected:
Domain not found (in reply to RCPT TO command))
Here is my logcheck.conf:
# The following variable settings are the initial default values,
# which can be uncommented and modified to alter logcheck's behaviour
# Controls the format of date-/time-stamps in subject lines:
# Alternatively, set the format to suit your locale
#DATE=3D"$(date +'%Y-%m-%d %H:%M')"
#
# Controls the presence of boilerplate at the top of each message:
# Alternatively, set to "0" to disable the introduction.
#
# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
# are present their contents will be read and used as the header and
# footer of any generated mails.
#
#INTRO=3D1
# Controls the level of filtering:=20
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.
REPORTLEVEL=3D"server"
# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "emailaddress@some.domain.tld"
SENDMAILTO=3D"servermail@npr.org"
# Should the hostname of the generated mails be fully qualified?
FQDN=3D1
# Controls whether "sort -u" is used on log entries (which will
# eliminate duplicates but destroy the original ordering); the
# default is to use "sort -k 1,3 -s":
# Alternatively, set to "1" to enable unique sorting
#SORTUNIQ=3D0
# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
# exceptions to the rules in /etc/logcheck/cracking.d:
# Alternatively, set to "1" to enable cracking.ignore support
#SUPPORT_CRACKING_IGNORE=3D0
# Controls the base directory for rules file location
# This must be an absolute path
#RULEDIR=3D"/etc/logcheck"
# Controls if syslog-summary is run over each section.
# Alternatively, set to "1" to enable extra summary.
#SYSLOGSUMMARY=3D0
# Controls Subject: lines on logcheck reports:
#ATTACKSUBJECT=3D"Attack Alerts"
#SECURITYSUBJECT=3D"Security Events"
#EVENTSSUBJECT=3D"System Events"
# Controls [logcheck] prefix on Subject: lines
# ADDTAG=3D"no"
Here is my logcheck.logfiles file:
# these files will be checked by logcheck
# This has been tuned towards a default syslog install
/var/log/syslog
/var/log/auth.log
Thanks,
Jon
=20