[Logcheck-users] Help with a rule

[Sergi Baila]

Solved!

I've put the rule on a violations.ignore.d/local-kernel file

It's the first time I need this, probably an update on logcheck.

The docs aren't clear on this, so thanks to all for your help.

On Fri, May 2, 2008 at 3:11 AM, Ross Boylan <ross at biostat.ucsf.edu> wrote:
> On Thu, 2008-05-01 at 20:30 +0200, Sergi Baila wrote:
>  > Ok, this is the typical message to the list I suppose. But I've really
>  > tried all I can think of and probably need some more pair of eyes to
>  > find the glitch.
>  >
>  > I have this "Security event"
>  >
>  > May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from
>  > 192.168.1.3, on dev eth0
>  >
>  > Which I want to filter out. As it's a 'security' one I put it on
>  > violations.ignore.d/local
>  If the violation is triggered by a package-specific rule, you need a
>  package-specific file to cancel it out.  I think local-package is OK,
>  but you should check the readme for logcheck-databases to be sure.
>
> >
>  > This is the current rule:
>  >
>  > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from
>  > [.0-9]+, on dev eth.$
>  >
>  > Which works using
>  >
>  > sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11}
>  > [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev
>  > eth.$'
>  >
>  > But logcheck keeps me sending those!
>  >
>  > Any idea?
>  The other possibility is the rule doesn't work with egrep, which is what
>  logcheck uses.  You might want to double check.
>
>  Ross
>  >
>



-- 
www.sargue.net