Ok, this is the typical message to the list I suppose. But I've really tried all I can think of and probably need some more pair of eyes to find the glitch. I have this "Security event" May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from 192.168.1.3, on dev eth0 Which I want to filter out. As it's a 'security' one I put it on violations.ignore.d/local This is the current rule: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev eth.$ Which works using sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev eth.$' But logcheck keeps me sending those! Any idea? -- www.sargue.net
Sergi, I'd try ignore.d.server, for some reason most of my rules end up there. HtH, Denis On Thu, May 1, 2008 at 12:30 PM, Sergi Baila <sargue at gmail.com> wrote:> Ok, this is the typical message to the list I suppose. But I've really > tried all I can think of and probably need some more pair of eyes to > find the glitch. > > I have this "Security event" > > May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from > 192.168.1.3, on dev eth0 > > Which I want to filter out. As it's a 'security' one I put it on > violations.ignore.d/local > > This is the current rule: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from > [.0-9]+, on dev eth.$ > > Which works using > > sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11} > [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev > eth.$' > > But logcheck keeps me sending those! > > Any idea? > > -- > www.sargue.net > > _______________________________________________ > Logcheck-users mailing list > Logcheck-users at lists.alioth.debian.org > http://lists.alioth.debian.org/mailman/listinfo/logcheck-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20080501/bc3c9714/attachment.htm
On Thu, May 1, 2008 at 7:30 PM, Sergi Baila <sargue at gmail.com> wrote:> Ok, this is the typical message to the list I suppose. But I've really > tried all I can think of and probably need some more pair of eyes to > find the glitch. > > I have this "Security event" > > May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from > 192.168.1.3, on dev eth0 > > Which I want to filter out. As it's a 'security' one I put it on > violations.ignore.d/local ><snip>> > But logcheck keeps me sending those! > > Any idea?Another thing I would try is adding the rule to /etc/violations.ignore.d/local-foo, where 'foo' is the file which contains the rule you're trying to suppress. That's the only method that worked for me with security events, though others seem to have had different experiences so I suppose it must depend on the version you're using.
On Thu, 2008-05-01 at 20:30 +0200, Sergi Baila wrote:> Ok, this is the typical message to the list I suppose. But I've really > tried all I can think of and probably need some more pair of eyes to > find the glitch. > > I have this "Security event" > > May 1 20:08:57 ns1 kernel: martian source 192.168.1.3 from > 192.168.1.3, on dev eth0 > > Which I want to filter out. As it's a 'security' one I put it on > violations.ignore.d/localIf the violation is triggered by a package-specific rule, you need a package-specific file to cancel it out. I think local-package is OK, but you should check the readme for logcheck-databases to be sure.> > This is the current rule: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: martian source [0-9.]+ from > [.0-9]+, on dev eth.$ > > Which works using > > sed -e 's/[[:space:]]*$//' syslog | egrep '^\w{3} [ :0-9]{11} > [._[:alnum:]-]+ kernel: martian source [0-9.]+ from [.0-9]+, on dev > eth.$' > > But logcheck keeps me sending those! > > Any idea?The other possibility is the rule doesn't work with egrep, which is what logcheck uses. You might want to double check. Ross>