[Logcheck-users] Security Alert despite ignore rule
Heinrich Moser
mail at heinzi.at
Sat Apr 7 15:07:30 UTC 2007
Dear fellow Logcheck users!
Problem description in short:
Lines matching /etc/logcheck/violations.d/logcheck are reported as
"Security Alert", even if they match a line in
/etc/logcheck/violations.ignore.d/local-*.
Problem description in long (i.e. how to reproduce):
Sometimes, Postfix log files contain (spammer's) e-mail addresses with
"bad words", such as "attack". Clearly, these log lines are of no value
to me, so I would like to filter them by putting appropriate regexps in
a file in violations.ignore.d.
For example, my violations.ignore.d/local-postfix contains the following
line:
garak postfix/
("garak" is my host name and I use this line just for debugging -- the
real regexp is, of course, much more specific.)
Now I have a logfile in /tmp/testlog containing the following
(fictional, again, just for debugging) line:
Apr 5 13:13:10 garak postfix/smtpd[21339]: you got mail from
<attackme at example.com>
However, running logcheck still shows this line:
$ sudo sudo -u logcheck logcheck -oTtl /tmp/testlog
This email is sent by logcheck. If you wish to no-longer receive it,
you can either deinstall the logcheck package or modify its
configuration file (/etc/logcheck/logcheck.conf).
Security Alerts
=-=-=-=-=-=-=-=
Apr 5 13:13:10 garak postfix/smtpd[21339]: you got mail from
<attackme at example.com>
Adding the ignore line to logcheck-postfix rather than to local-postfix
does not help either. Any suggestions?
Version in use: 1.2.39, Debian stable (sarge).
Greetings,
Heinzi
More information about the Logcheck-users
mailing list