[Logcheck-users] Newbe Log check questions
Denis Dimick
dgdimick at gmail.com
Thu Nov 1 15:53:45 UTC 2007
I'm a newbe to logcheck and need some help writing a rule.
Here's the output I'm trying to block:
Nov 1 09:11:52 m0n0wall ipmon[79]: 09:11:52.330133 xl0 @100:3 p
192.168.2.201,1900 -> 239.255.255.250,1900 PR udp len 20 291 K-S IN
And here's my rule in /etc/logcheck/violations.ignore.d/local-m0n0
^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]:
[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 @100:3 p
0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp
le9n 20 291 K-S IN$
The rule is on one line in the single file (it's the only rule in the file)
I've tested it using:
sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '^\w{3} [ :0-9]{11}
m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 @100:3 p
0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp
le9n 20 291 K-S IN$'
and it prints out the data I wish to block.
Anyone have any ideas?
Thanks,
Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20071101/81edc079/attachment.htm
More information about the Logcheck-users
mailing list