[Logcheck-users] Help with a rule
Aneurin Price
aneurin.price at gmail.com
Thu May 1 23:48:10 UTC 2008
On Thu, May 1, 2008 at 7:30 PM, Sergi Baila <sargue at gmail.com> wrote:
> Ok, this is the typical message to the list I suppose. But I've really
> tried all I can think of and probably need some more pair of eyes to
> find the glitch.
>
> I have this "Security event"
>
> May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from
> 192.168.1.3, on dev eth0
>
> Which I want to filter out. As it's a 'security' one I put it on
> violations.ignore.d/local
>
<snip>
>
> But logcheck keeps me sending those!
>
> Any idea?
Another thing I would try is adding the rule to
/etc/violations.ignore.d/local-foo, where 'foo' is the file which
contains the rule you're trying to suppress. That's the only method
that worked for me with security events, though others seem to have
had different experiences so I suppose it must depend on the version
you're using.
More information about the Logcheck-users
mailing list