thr3ads.net - Logcheck devel - [Logcheck-devel] Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis [Nov 2005]

If this information is useful, please help other people find it:
Share via:

Lia Treffman

2005-Nov-21 21:57 UTC

[Logcheck-devel] Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis

Package: logcheck
Version: 1.2.39

I am using Linux smtp 2.6.8-2-686-smp and libc6 2.3.2.ds1-22.

I am running logcheck on a server named smtp, and I would like to filter
all lines in /var/log/syslog matching the following expressions:

Nov 21 19:29:13 smtp postfix/policy-spf[1429]: blah blah blah
Nov 21 19:23:01 smtp amavis[31328]: blah blah blah

I have a file called 'noise':

smtp postfix/policy-spf.*$
smtp amavis.*$

When I run 'grep -f noise /var/log/syslog', I get the expected result. 
For convenience, I have attached 'noise' and 'sample_syslog',
which is a
sterilized segment of our /var/log/syslog.

I have tried running logcheck with 'noise' in the following directories:
/etc/logcheck/ignore.d -> ignore.d.server
/etc/logcheck/violations.ignore.d
/etc/logcheck/cracking.ignore.d

I have also tried putting the text of 'noise' in the following files:
/etc/logcheck/ignore.d/postfix or amavis (as appropriate)
/etc/logcheck/violations.ignore.d/logcheck-postfix or logcheck-amavis
(as appropriate)

All of the postfix/policy-spf and amavis records appear in the email. I
have also tried it with the '^\w{3} [ :0-9]{11} [._[:alnum:]-]+' lead-in
to the regex and it doesn't make a difference.

There are other regexes in /etc/logcheck/ignore.d files which also do
not filter as they are supposed to.  However, the postfix/policy-spf and
amavis are the most problematic.

Thank you for your time and assistance in this matter.

Sincerely,

Lia M. Treffman






-- 
Lia Treffman Optivel, Inc. 317-275-2304
Network Systems Developer / DBA Sorcerer's Apprentice ltreffman at
optivel.com http://www.optivel.com

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logcheck.conf
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051121/ab64ed4d/attachment.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sample_syslog
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051121/ab64ed4d/attachment-0001.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: noise
Url:
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051121/ab64ed4d/attachment-0002.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051121/ab64ed4d/attachment.pgp

Todd Troxell

2005-Nov-22 03:58 UTC

head link

Bug#340226: [Logcheck-devel] Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis

Hi Lia,

On Mon, Nov 21, 2005 at 04:57:26PM -0500, Lia Treffman
wrote:> I am using Linux smtp 2.6.8-2-686-smp and libc6 2.3.2.ds1-22.
> 
> I am running logcheck on a server named smtp, and I would like to filter
> all lines in /var/log/syslog matching the following expressions:
> 
> Nov 21 19:29:13 smtp postfix/policy-spf[1429]: blah blah blah
> Nov 21 19:23:01 smtp amavis[31328]: blah blah blah
> 
> I have a file called 'noise':
> 
> smtp postfix/policy-spf.*$
> smtp amavis.*$
> 
> When I run 'grep -f noise /var/log/syslog', I get the expected
result.
> For convenience, I have attached 'noise' and
'sample_syslog', which is a
> sterilized segment of our /var/log/syslog.
> 
> I have tried running logcheck with 'noise' in the following
directories:
> /etc/logcheck/ignore.d -> ignore.d.server
> /etc/logcheck/violations.ignore.d
> /etc/logcheck/cracking.ignore.d
> 
> I have also tried putting the text of 'noise' in the following
files:
> /etc/logcheck/ignore.d/postfix or amavis (as appropriate)
> /etc/logcheck/violations.ignore.d/logcheck-postfix or logcheck-amavis
> (as appropriate)
> 
> All of the postfix/policy-spf and amavis records appear in the email. I
> have also tried it with the '^\w{3} [ :0-9]{11} [._[:alnum:]-]+'
lead-in
> to the regex and it doesn't make a difference.
> 
> There are other regexes in /etc/logcheck/ignore.d files which also do
> not filter as they are supposed to.  However, the postfix/policy-spf and
> amavis are the most problematic.
I was unable to reproduce this.  I dropped your noise file into my
/etc/logcheck/ignore.d.server/ and ran it through your sample_syslog in both
1.2.39 and current CVS head to no avail.

Are you sure the permissions are correct on your rule files/dirs?

--
Todd Troxell
http://xtat.rapidpacket.com/

Logcheck devel - Nov 2005 - Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis

[Logcheck-devel] Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis

Bug#340226: [Logcheck-devel] Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis