[Logcheck-users] Newbe Log check questions

[Denis Dimick]

It turned out the the rule was fine, however for some reason the file wants
to see a CR/LF at the end of the rule, even if it's the only rule.

Thanks,

Denis

On 11/1/07, Ross Boylan <ross at biostat.ucsf.edu> wrote:
>
> On Thu, 2007-11-01 at 09:53 -0600, Denis Dimick wrote:
> > I'm a newbe to logcheck and need some help writing a rule.
> >
> > Here's the output I'm trying to  block:
> >
> > Nov  1 09:11:52 m0n0wall ipmon[79]: 09:11:52.330133 xl0 @100:3 p
> > 192.168.2.201,1900 -> 239.255.255.250,1900 PR udp len 20 291 K-S IN
> >
> > And here's my rule in /etc/logcheck/violations.ignore.d/local-m0n0
> violations only refers to items caught by the "serious" filters.
> Probably you should put the file in ignore.d.server or one of the other
> ignore.d.* directories, depending on what level you think should have
> this filtered out.
> >
> > ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]:
> > [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 @100:3 p
> > 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR
> > udp le9n 20 291 K-S IN$
> >
> > The rule is on one line in the single file (it's the only rule in the
> > file)
> >
> > I've tested it using:
> >
> > sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '^\w{3} [ :0-9]{11}
> > m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0
> > @100:3 p 0-9]\.[0-9]\.[0-9]\.[0-9],1900 ->
> > [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp le9n 20 291 K-S IN$'
> >
> > and it prints out the data I wish to block.
>
> > Anyone have any ideas?
> >
> > Thanks,
> >
> > Denis
> >
> > _______________________________________________
> > Logcheck-users mailing list
> > Logcheck-users at lists.alioth.debian.org
> > http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20071101/aa3a8f14/attachment.htm