[Logcheck-users] can't filter log which contains the word
"failure"
Ross Boylan
ross at biostat.ucsf.edu
Tue Jan 16 20:20:07 CET 2007
On Sun, 2007-01-14 at 11:29 +0100, Marius Erni wrote:
> Hi,
>
> For quite some time I try to filer out a log message which contains the
> word failure. And I'm not able to filter it out.
>
> Is this a know issue? How can I filter out this message?
There are several different kinds of notable events in logcheck, and you
need to filter them out in the appropriate place. The highest level of
severity (possible attacks) doesn't even look for things to filter out
by default.
My guess is that you are putting your filter in the wrong place (e.g.,
ignore.d.xxx or violations.ignore.d or the default irrelevant
cracking.ignore.d).
You should also check with grep that your pattern actually does match
the line you are trying to filter out.
>
> the message i do like to filter out is:
> Jan 8 10:49:15 XXX smbd[31464]: read_socket_data: recv failure for 4.
> Error = No route to host
>
> And the thats my rule which does not work.
> ^\w{3} [ :0-9]{11} XXX smbd\[[0-9]{2,5}\]: +read_socket_data: recv
> failure for 4\. Error = No route to host$
>
>
> I'm using logcheck 1.2.39 under Debian Stable.
>
>
> Kind regards Marius
>
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
--
Ross Boylan wk: (415) 514-8146
185 Berry St #5700 ross at biostat.ucsf.edu
Dept of Epidemiology and Biostatistics fax: (415) 514-8150
University of California, San Francisco
San Francisco, CA 94107-1739 hm: (415) 550-1062
More information about the Logcheck-users
mailing list