Logcheck users - Mar 2007 - cannot get filter right

Hi,

this has been driving me nuts so I'd love a hint where I'm going wrong. 
I
have fetchmail running, hitting a badly configured pop3 server.  Sadly I
can't do anything about that so I keep getting this in the logs:

Mar  7 07:59:12 brooks fetchmail[17737]: Server CommonName mismatch: localhost
!= mail.xxxxx.yy

and I'd _really_ like to filter it from logcheck but I can't get the
filter
right.

I currently have this line in /etc/logcheck/ignore.d.server/fetchmail:

fetchmail\[[0-9]+\]: +Server CommonName mismatch: localhost != mail.xxxxx.yy

but that doesn't filter it.  I've tried various other combinations but I
can't seem to get it right.  The only thing about it that's unlike other
filters I've written is the presence of the "!=" chars.

Any suggestions?
Gavin

On Wed, 2007-03-07 at 14:19 +0000, Gavin McCullagh
wrote:
> Hi,
> 
> this has been driving me nuts so I'd love a hint where I'm going
wrong.  I
> have fetchmail running, hitting a badly configured pop3 server.  Sadly I
> can't do anything about that so I keep getting this in the logs:
> 
> Mar  7 07:59:12 brooks fetchmail[17737]: Server CommonName mismatch:
localhost != mail.xxxxx.yy
> 
> and I'd _really_ like to filter it from logcheck but I can't get
the filter
> right.
> 
> I currently have this line in /etc/logcheck/ignore.d.server/fetchmail:
> 
> fetchmail\[[0-9]+\]: +Server CommonName mismatch: localhost !=
mail.xxxxx.yy
> 
> but that doesn't filter it.  I've tried various other combinations
but I
> can't seem to get it right.  The only thing about it that's unlike
other
> filters I've written is the presence of the "!=" chars.
> 
> Any suggestions?
I have (under /etc/logcheck)
./violations.ignore.d/local:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fetchmail
\[[0-9]+\]: Server CommonName mismatch: ffff != x.y.z$
although I see I have a line in ./ignore.d.workstation/fetchmail too.

I wrote the following before I realized I had a solution.  I haven't
taken all of my own advice!

First, get the offending log line in a separate file so it's easy to
test, and make sure your pattern matches.  I don't see anything obvious,
but you probably should quote like this: mail\.xxxxx\.yyy

Second, recommended practice is to match the entire line, starting with
a ^.  You can see examples of the patterns to use for the start in
existing logcheck files.

Third, it's pretty easy to put the ignore pattern in the wrong spot; you
need to check what level the warning is coming from (is it being
explicitly picked out by cracking or violations, or is it just something
that's failed to be filtered out?) and whether you are using the right
filename (e.g., if a file for program foo picks out the pattern as
special you may need the ignore pattern in a file named foo under
ignore.d/).  You need to
study /usr/share/doc/logcheck-database/README.logcheck-database.gz to
get the exact logic.

> Gavin
> 
> 
> 
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
-- 
Ross Boylan                                      wk:  (415) 514-8146
185 Berry St #5700                               ross@biostat.ucsf.edu
Dept of Epidemiology and Biostatistics           fax: (415) 514-8150
University of California, San Francisco
San Francisco, CA 94107-1739                     hm:  (415) 550-1062