[Logcheck-users] Help with a rule
Sergi Baila
sargue at gmail.com
Thu May 1 18:30:40 UTC 2008
Ok, this is the typical message to the list I suppose. But I've really
tried all I can think of and probably need some more pair of eyes to
find the glitch.
I have this "Security event"
May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from
192.168.1.3, on dev eth0
Which I want to filter out. As it's a 'security' one I put it on
violations.ignore.d/local
This is the current rule:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from
[.0-9]+, on dev eth.$
Which works using
sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11}
[._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev
eth.$'
But logcheck keeps me sending those!
Any idea?
--
www.sargue.net
More information about the Logcheck-users
mailing list