thr3ads.net - Logcheck users - [Logcheck-users] can't filter log which contains the word "failure" [Jan 2007]

If this information is useful, please help other people find it:
Share via:

Marius Erni

2007-Jan-14 11:36 UTC

[Logcheck-users] can't filter log which contains the word "failure"

Hi,

For quite some time I try to filer out a log message which contains the 
word failure. And I'm not able to filter it out.

Is this a know issue? How can I filter out this message?

the message i do like to filter out is:
Jan  8 10:49:15 XXX smbd[31464]:   read_socket_data: recv failure for 4. 
Error = No route to host

And the thats my rule which does not work.
^\w{3} [ :0-9]{11} XXX smbd\[[0-9]{2,5}\]: +read_socket_data: recv 
failure for 4\. Error = No route to host$


I'm using logcheck 1.2.39 under Debian Stable.


Kind regards   Marius

Ross Boylan

2007-Jan-16 20:50 UTC

head link

[Logcheck-users] can't filter log which contains the word "failure"

On Sun, 2007-01-14 at 11:29 +0100, Marius Erni wrote:> Hi,
> 
> For quite some time I try to filer out a log message which contains the 
> word failure. And I'm not able to filter it out.
> 
> Is this a know issue? How can I filter out this message?There are several different kinds of notable events in logcheck, and you
need to filter them out in the appropriate place.  The highest level of
severity (possible attacks) doesn't even look for things to filter out
by default.

My guess is that you are putting your filter in the wrong place (e.g.,
ignore.d.xxx or violations.ignore.d or the default irrelevant
cracking.ignore.d).  

You should also check with grep that your pattern actually does match
the line you are trying to filter out.> 
> the message i do like to filter out is:
> Jan  8 10:49:15 XXX smbd[31464]:   read_socket_data: recv failure for 4. 
> Error = No route to host
> 
> And the thats my rule which does not work.
> ^\w{3} [ :0-9]{11} XXX smbd\[[0-9]{2,5}\]: +read_socket_data: recv 
> failure for 4\. Error = No route to host$
> 
> 
> I'm using logcheck 1.2.39 under Debian Stable.
> 
> 
> Kind regards   Marius
> 
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users-- 
Ross Boylan                                      wk:  (415) 514-8146
185 Berry St #5700                               ross@biostat.ucsf.edu
Dept of Epidemiology and Biostatistics           fax: (415) 514-8150
University of California, San Francisco
San Francisco, CA 94107-1739                     hm:  (415) 550-1062

Logcheck users - Jan 2007 - can't filter log which contains the word "failure"

[Logcheck-users] can't filter log which contains the word "failure"

[Logcheck-users] can't filter log which contains the word "failure"