[Logcheck-users] cannot get filter right

Ross Boylan ross at biostat.ucsf.edu
Thu Mar 8 19:17:21 CET 2007 

On Wed, 2007-03-07 at 14:19 +0000, Gavin McCullagh wrote:
> Hi,
> 
> this has been driving me nuts so I'd love a hint where I'm going wrong.  I
> have fetchmail running, hitting a badly configured pop3 server.  Sadly I
> can't do anything about that so I keep getting this in the logs:
> 
> Mar  7 07:59:12 brooks fetchmail[17737]: Server CommonName mismatch: localhost != mail.xxxxx.yy
> 
> and I'd _really_ like to filter it from logcheck but I can't get the filter
> right.
> 
> I currently have this line in /etc/logcheck/ignore.d.server/fetchmail:
> 
> fetchmail\[[0-9]+\]: +Server CommonName mismatch: localhost != mail.xxxxx.yy
> 
> but that doesn't filter it.  I've tried various other combinations but I
> can't seem to get it right.  The only thing about it that's unlike other
> filters I've written is the presence of the "!=" chars.
> 
> Any suggestions?
I have (under /etc/logcheck)
./violations.ignore.d/local:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fetchmail
\[[0-9]+\]: Server CommonName mismatch: ffff != x.y.z$
although I see I have a line in ./ignore.d.workstation/fetchmail too.

I wrote the following before I realized I had a solution.  I haven't
taken all of my own advice!

First, get the offending log line in a separate file so it's easy to
test, and make sure your pattern matches.  I don't see anything obvious,
but you probably should quote like this: mail\.xxxxx\.yyy

Second, recommended practice is to match the entire line, starting with
a ^.  You can see examples of the patterns to use for the start in
existing logcheck files.

Third, it's pretty easy to put the ignore pattern in the wrong spot; you
need to check what level the warning is coming from (is it being
explicitly picked out by cracking or violations, or is it just something
that's failed to be filtered out?) and whether you are using the right
filename (e.g., if a file for program foo picks out the pattern as
special you may need the ignore pattern in a file named foo under
ignore.d/).  You need to
study /usr/share/doc/logcheck-database/README.logcheck-database.gz to
get the exact logic.


> Gavin
> 
> 
> 
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
-- 
Ross Boylan                                      wk:  (415) 514-8146
185 Berry St #5700                               ross at biostat.ucsf.edu
Dept of Epidemiology and Biostatistics           fax: (415) 514-8150
University of California, San Francisco
San Francisco, CA 94107-1739                     hm:  (415) 550-1062

More information about the Logcheck-users mailing list