[Logcheck-users] Help with a rule
Ross Boylan
ross at biostat.ucsf.edu
Fri May 2 01:11:15 UTC 2008
On Thu, 2008-05-01 at 20:30 +0200, Sergi Baila wrote:
> Ok, this is the typical message to the list I suppose. But I've really
> tried all I can think of and probably need some more pair of eyes to
> find the glitch.
>
> I have this "Security event"
>
> May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from
> 192.168.1.3, on dev eth0
>
> Which I want to filter out. As it's a 'security' one I put it on
> violations.ignore.d/local
If the violation is triggered by a package-specific rule, you need a
package-specific file to cancel it out. I think local-package is OK,
but you should check the readme for logcheck-databases to be sure.
>
> This is the current rule:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from
> [.0-9]+, on dev eth.$
>
> Which works using
>
> sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11}
> [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev
> eth.$'
>
> But logcheck keeps me sending those!
>
> Any idea?
The other possibility is the rule doesn't work with egrep, which is what
logcheck uses. You might want to double check.
Ross
>
More information about the Logcheck-users
mailing list