[Logcheck-users] Help with a rule
Denis Dimick
dgdimick at gmail.com
Thu May 1 19:30:23 UTC 2008
Sergi,
I'd try ignore.d.server, for some reason most of my rules end up there.
HtH,
Denis
On Thu, May 1, 2008 at 12:30 PM, Sergi Baila <sargue at gmail.com> wrote:
> Ok, this is the typical message to the list I suppose. But I've really
> tried all I can think of and probably need some more pair of eyes to
> find the glitch.
>
> I have this "Security event"
>
> May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from
> 192.168.1.3, on dev eth0
>
> Which I want to filter out. As it's a 'security' one I put it on
> violations.ignore.d/local
>
> This is the current rule:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from
> [.0-9]+, on dev eth.$
>
> Which works using
>
> sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11}
> [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev
> eth.$'
>
> But logcheck keeps me sending those!
>
> Any idea?
>
> --
> www.sargue.net
>
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20080501/bc3c9714/attachment.htm
More information about the Logcheck-users
mailing list