Jon Foreman
2005-Apr-19 16:22 UTC
[Logcheck-users] ignore.d.server rule not working? - try again..
Please disregard that first message... there were a couple of significant typos. Here is the real deal: I'm running logcheck on Debian and it seems that a rule I have set in /etc/logcheck/ignore.d.server/postfix isn't working. When I test the rule on /var/log/syslog, I see a match. However, logcheck still sends me a report nonetheless. Are there certain circumstances where rules in ignore.d.server would be ignored? Here is the rule in question: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]:.* Recipient address rejected: Domain not found \(in reply to RCPT TO command\)\) Yet I'm still receiving messages from logcheck like so: Security Events =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D Apr 19 08:48:44 mercury4 postfix/smtp[9758]: C9F75660034: to=3D<carol.lakey.hess@stanfordalumni.orgi>, orig_to=3D<carol.lakey.hess@stanfordalumni.orgi.>, relay=3Dmta.npr.org[172.16.10.176], delay=3D56757, status=3Ddeferred (host mta.npr.org[172.16.10.176] said: 450 <carol.lakey.hess@stanfordalumni.orgi>: Recipient address rejected: Domain not found (in reply to RCPT TO command)) Here is proof that my rule is matching such entries from /var/log/syslog: prompt: egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]:.* Recipient address rejected: Domain not found \(in reply to RCPT TO command\)\)" /var/log/syslog | grep carol.lakey | grep 08:48 Apr 19 08:48:44 mercury4 postfix/smtp[9758]: C9F75660034: to=3D<carol.lakey.hess@stanfordalumni.orgi>, orig_to=3D<carol.lakey.hess@stanfordalumni.orgi.>, relay=3Dmta.npr.org[172.16.10.176], delay=3D56757, status=3Ddeferred (host mta.npr.org[172.16.10.176] said: 450 <carol.lakey.hess@stanfordalumni.orgi>: Recipient address rejected: Domain not found (in reply to RCPT TO command)) Please note, my rule is matching other items that are NOT being sent by logcheck. I guess there is something about this particular log entry that is causing logcheck to bypass my rule in /etc/logcheck/ignore.d.server/postfix. Here is my logcheck.conf: # The following variable settings are the initial default values, # which can be uncommented and modified to alter logcheck's behaviour # Controls the format of date-/time-stamps in subject lines: # Alternatively, set the format to suit your locale #DATE=3D"$(date +'%Y-%m-%d %H:%M')" # # Controls the presence of boilerplate at the top of each message: # Alternatively, set to "0" to disable the introduction. # # If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt # are present their contents will be read and used as the header and # footer of any generated mails. # #INTRO=3D1 # Controls the level of filtering:=20 # Can be Set to "workstation", "server" or "paranoid" for different # levels of filtering. Defaults to server if not set. REPORTLEVEL=3D"server" # Controls the address mail goes to: # *NOTE* the script does not set a default value for this variable! # Should be set to an offsite "emailaddress@some.domain.tld" SENDMAILTO=3D"servermail@npr.org" # Should the hostname of the generated mails be fully qualified? FQDN=3D1 # Controls whether "sort -u" is used on log entries (which will # eliminate duplicates but destroy the original ordering); the # default is to use "sort -k 1,3 -s": # Alternatively, set to "1" to enable unique sorting #SORTUNIQ=3D0 # Controls whether /etc/logcheck/cracking.ignore.d is scanned for # exceptions to the rules in /etc/logcheck/cracking.d: # Alternatively, set to "1" to enable cracking.ignore support #SUPPORT_CRACKING_IGNORE=3D0 # Controls the base directory for rules file location # This must be an absolute path #RULEDIR=3D"/etc/logcheck" # Controls if syslog-summary is run over each section. # Alternatively, set to "1" to enable extra summary. #SYSLOGSUMMARY=3D0 # Controls Subject: lines on logcheck reports: #ATTACKSUBJECT=3D"Attack Alerts" #SECURITYSUBJECT=3D"Security Events" #EVENTSSUBJECT=3D"System Events" # Controls [logcheck] prefix on Subject: lines # ADDTAG=3D"no" Here is my logcheck.logfiles file: # these files will be checked by logcheck # This has been tuned towards a default syslog install /var/log/syslog /var/log/auth.log Thanks, Jon =20 _______________________________________________ Logcheck-users mailing list Logcheck-users@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-users