Logcheck users - Mar 2008 - Problem with rules being 'ignored'

Hey there, sorry to bug you,

I've ran into a little problem conscerning a logcheck-rule I just wrote.

I use logcheck and logcheck-database on Debian Etch. When logcheck
reports me something I don't want it to, I normally write a rule to
match that logentry and put it in a file called my_rules in
/etc/logcheck/ignore.d.server/ ... that worked perfectly fine. Until
that rule:

Logcheck keeps reporting me that:

Security Events
=-=-=-=-=-=-=-Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
<220.231.197.4>: Helo command rejected: need fully-qualified hostname;
from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info>
proto=ESMTP
helo=<220.231.197.4>


So I wrote this rule:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
[^[:space:]]+: Helo command rejected: need fully-qualified hostname;
from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$
 

And to test whether it works:

uhweb64XXX:/home/max# sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep
'^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
[^[:space:]]+: Helo command rejected: need fully-qualified hostname;
from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$'

And the output works correctly:

Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
<220.231.197.4>: Helo command rejected: need fully-qualified hostname;
from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info>
proto=ESMTP
helo=<220.231.197.4>
 


The problem is that STILL logcheck keeps reporting me that kind of
messages... including the particular one above. Can someone tell me what
I'm doing wrong?

Thanks a lot!!!!

Max

On Sun, Mar 16, 2008 at 9:08 PM, Max Zimmermann
<maxzimmermann at googlemail.com> wrote:
> Hey there, sorry to bug you,
>
>  I've ran into a little problem conscerning a logcheck-rule I just
wrote.
>
>  I use logcheck and logcheck-database on Debian Etch. When logcheck
>  reports me something I don't want it to, I normally write a rule to
>  match that logentry and put it in a file called my_rules in
>  /etc/logcheck/ignore.d.server/ ... that worked perfectly fine. Until
>  that rule:
>
>  Logcheck keeps reporting me that:
>
>  Security Events
>  =-=-=-=-=-=-=->  Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]:
NOQUEUE:
>  reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
>  <220.231.197.4>: Helo command rejected: need fully-qualified
hostname;
>  from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info>
proto=ESMTP
>  helo=<220.231.197.4>
>
>
>  So I wrote this rule:
>
>  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
>  NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
>  [^[:space:]]+: Helo command rejected: need fully-qualified hostname;
>  from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$
>
>
>  And to test whether it works:
>
>  uhweb64XXX:/home/max# sed -e 's/[[:space:]]*$//' /var/log/syslog |
egrep
>  '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
>  NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
>  [^[:space:]]+: Helo command rejected: need fully-qualified hostname;
>  from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$'
>
>  And the output works correctly:
>
>  Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
>  reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
>  <220.231.197.4>: Helo command rejected: need fully-qualified
hostname;
>  from=<lory9 at syssrc.com> to=<diequeen at klappspaten.info>
proto=ESMTP
>  helo=<220.231.197.4>
>
>
>
>  The problem is that STILL logcheck keeps reporting me that kind of
>  messages... including the particular one above. Can someone tell me what
>  I'm doing wrong?

you probably put the rule in the wrong file, since this is a security
report the correct file would be
/etc/logcheck/violations.d.ignore/postfix (or local).


http://logcheck.org/docs/README.logcheck-database  <-- where i got the
above info from ;)

-- 
error: one bad user found in front of screen