I'm using DSPAM and are trying to figure out a rule so the following events
are ignored :
System Events
=-=-=-=-=-=-Feb 18 15:14:00 LX02 dspam[2916]: innocent message from
213.247.50.151
Feb 18 15:43:30 LX02 dspam[2916]: spam detected from 194.109.127.153
In developing a ruleset for both events i came to these expressions :
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: spam detected from
[0-9]+\.[0-9]+\.[0-9]+\.[0-9]$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: innocent message from
[0-9]+\.[0-9]+\.[0-9]+\.[0-9]$
when testing those expressions with :
egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: spam detected
from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]" /var/log/syslog
and
egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: innocent message
from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]" /var/log/syslog
both give the correct result when running :
for the 1st expression :
Feb 18 10:17:09 LX02 dspam[2916]: spam detected from 194.109.127.152
Feb 18 14:06:54 LX02 dspam[2916]: spam detected from 194.109.127.153
Feb 18 14:06:54 LX02 dspam[2916]: spam detected from 194.109.127.153
Feb 18 14:10:59 LX02 dspam[2916]: spam detected from 192.25.206.28
Feb 18 14:13:26 LX02 dspam[2916]: spam detected from 192.25.206.28
Feb 18 15:43:30 LX02 dspam[2916]: spam detected from 194.109.127.153
Feb 18 16:04:55 LX02 dspam[2916]: spam detected from 194.109.127.153
Feb 18 17:22:31 LX02 dspam[2916]: spam detected from 194.109.127.153
for the 2nd expression :
Feb 18 09:45:17 LX02 dspam[2916]: innocent message from 213.247.50.151
Feb 18 10:56:06 LX02 dspam[2916]: innocent message from 213.247.50.151
Feb 18 15:14:00 LX02 dspam[2916]: innocent message from 213.247.50.151
So both should work fine ?
added tthe rules to /etc/logcheck/ignore.d.server with packagename dspam
but it doesn't seem to pick it up..
some light to make it work would be appreciated.
Regards,
Michael Honkoop
Jamie L. Penman-Smithson
2006-Feb-18 18:07 UTC
[Logcheck-users] DSPAM rule not functioning ?
Hey Michael, On 18 Feb 2006, at 17:06, Michael Honkoop wrote:> I'm using DSPAM and are trying to figure out a rule so the > following events are ignored :<snip>> Feb 18 15:14:00 LX02 dspam[2916]: innocent message from 213.247.50.151 > Feb 18 15:43:30 LX02 dspam[2916]: spam detected from 194.109.127.153 > > In developing a ruleset for both events i came to these expressions : > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ dspam\[[0-9]+\]: spam detected > from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]$<snip>> added tthe rules to /etc/logcheck/ignore.d.server with packagename > dspam > but it doesn't seem to pick it up..<snip> Firstly, if you come across log messages not filtered by logcheck (not including debug messages), you should either send them to the logcheck-devel mailing list <logcheck-devel@lists.alioth.debian.org> or submit them in a bug against logcheck-database in the BTS - that way everyone benefits. If you do add local rules that aren't suitable for inclusion in logcheck (i.e. they are debug messages), you should add them to local- foo, instead of foo, since local- files will never be overwritten on upgrade. Are you sure that logcheck can read your new rules? Make sure that it is owned by root:logcheck and chmod 0640. -j -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20060218/c37aba75/PGP.pgp
Jamie L. Penman-Smithson
2006-Feb-19 15:06 UTC
[Logcheck-users] DSPAM rule not functioning ?
Hey Michael, On 18 Feb 2006, at 19:57, Michael Honkoop wrote:> thanx for replying, and i'll resubmit it to the appropriate list. > furthermore i've checked the following : > > I am sure logcheck sees the entry, when running > > su -s /bin/bash -c "/usr/sbin/logcheck -t -l /var/log/syslog -d -o" > logcheck > > D: [1140292378] cleanrules: /etc/logcheck/ignore.d.server/dspam > > so it should read the file ? > Also i've already checked for permissions, and they are 640 > > -rw-r----- 1 root logcheck 208 2006-02-17 21:42 dspamCan you try with the latest version of logcheck (1.2.43a) and see if it resolves your problem? Thanks, -j -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20060219/420e2f2b/PGP.pgp