[Logcheck-users] Problem with rules being 'ignored'

Almir Karic redduck666 at gmail.com
Mon Mar 17 06:38:40 UTC 2008 

On Sun, Mar 16, 2008 at 9:08 PM, Max Zimmermann
<maxzimmermann at googlemail.com> wrote:
> Hey there, sorry to bug you,
>
>  I've ran into a little problem conscerning a logcheck-rule I just wrote.
>
>  I use logcheck and logcheck-database on Debian Etch. When logcheck
>  reports me something I don't want it to, I normally write a rule to
>  match that logentry and put it in a file called my_rules in
>  /etc/logcheck/ignore.d.server/ ... that worked perfectly fine. Until
>  that rule:
>
>  Logcheck keeps reporting me that:
>
>  Security Events
>  =-=-=-=-=-=-=-=
>  Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
>  reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
>  <220.231.197.4>: Helo command rejected: need fully-qualified hostname;
>  from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info> proto=ESMTP
>  helo=<220.231.197.4>
>
>
>  So I wrote this rule:
>
>  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
>  NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
>  [^[:space:]]+: Helo command rejected: need fully-qualified hostname;
>  from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$
>
>
>  And to test whether it works:
>
>  uhweb64XXX:/home/max# sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep
>  '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
>  NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
>  [^[:space:]]+: Helo command rejected: need fully-qualified hostname;
>  from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$'
>
>  And the output works correctly:
>
>  Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
>  reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
>  <220.231.197.4>: Helo command rejected: need fully-qualified hostname;
>  from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info> proto=ESMTP
>  helo=<220.231.197.4>
>
>
>
>  The problem is that STILL logcheck keeps reporting me that kind of
>  messages... including the particular one above. Can someone tell me what
>  I'm doing wrong?


you probably put the rule in the wrong file, since this is a security
report the correct file would be
/etc/logcheck/violations.d.ignore/postfix (or local).


http://logcheck.org/docs/README.logcheck-database  <-- where i got the
above info from ;)

-- 
error: one bad user found in front of screen

More information about the Logcheck-users mailing list