martin f krafft
2006-Jul-23 06:54 UTC
[Logcheck-devel] Fwd: seamus.madduck.net 2006.07.23.0050 System Events
This in today: ----- Forwarded message from logcheck at seamus.madduck.net ----- System Events =-=-=-=-=-=-Jul 23 00:45:09 seamus sshd[22983]: Address 66.132.142.188 maps to admin.trumedia.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! ----- End forwarded message ----- There is a violations.ignore.d rule for these files, shouldn't that automatically also filter them at the ignore.d level? I am not sure what the answer is, but I thought the above was the behaviour. I could not find a bug report about this. Since violations.d is a set of escalation filters, it would make sense for violations.ignore.d to be a set of de-escalation filters, but I don't think this is what the documentation suggests. Please advise. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net at madduck spamtraps: madduck.bogus at madduck.net no cat has eight tails. a cat has one tail more than no cat. therefore, a cat has nine tails. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature (GPG/PGP) Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20060723/111633eb/attachment.pgp
Todd Troxell
2006-Jul-26 03:05 UTC
[Logcheck-devel] Fwd: seamus.madduck.net 2006.07.23.0050 System Events
On Sun, Jul 23, 2006 at 07:54:59AM +0100, martin f krafft wrote:> This in today: > > ----- Forwarded message from logcheck at seamus.madduck.net ----- > > System Events > =-=-=-=-=-=-> Jul 23 00:45:09 seamus sshd[22983]: Address 66.132.142.188 maps to admin.trumedia.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! > > ----- End forwarded message ----- > > There is a violations.ignore.d rule for these files, shouldn't that > automatically also filter them at the ignore.d level? > > I am not sure what the answer is, but I thought the above was the > behaviour. I could not find a bug report about this. > > Since violations.d is a set of escalation filters, it would make > sense for violations.ignore.d to be a set of de-escalation filters, > but I don't think this is what the documentation suggests. > > Please advise.Yes, yes it should. There was a bug report about this somewhere... Gah! To be clear, the violations.ignore.d should filter things are the ignore.d level. Currently it does not. -- Todd Troxell http://rapidpacket.com/~xtat