Hi,
I've recently 'inherited' a spam filtering machine which is using
logcheck, and there is one security event which happens reasonably
frequently, but I can't figure out how to ignore. Coming from postfix,
I get messages like this:
Sep 2 05:38:10 spamFilter postfix/cleanup[30479]: 7E38AABB27: reject:
header Received: from 201-67-127-134.pvoce702.dsl.brasiltelecom.net.br
(201-67-127-134.pvoce702.dsl.brasiltelecom.net.br
[201.67.127.134])??by spamFilter.xxxx (Postfix) with ESMTP id
7E38AABB27??for < from
201-67-127-134.pvoce702.dsl.brasiltelecom.net.br[201.67.127.134];
from=<max_griffith at bigwalnut.k12.oh.us> to=<xxxx at xxxx>
proto=ESMTP
helo=<201-67-127-134.pvoce702.dsl.brasiltelecom.net.br>: Message
content rejected
At first I added the following rule to
/etc/logcheck/ignore.d.server/postfix (I'm using
REPORTLEVEL="server"):
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]:
[[:alnum:]]+: reject:.*$
This of course didn't help, and it occurred to me that the word
'reject' was causing it to be seen as a security violation, so I added
the same line to /etc/logcheck/violations.ignore.d/logcheck-postfix;
that didn't help either.
(I guess I should really add rules to some extra custom file rather
than modifying the existing ones, but that hadn't occurred to me at
the time.)
The expression does match the offending messages (using grep -E), so
I' unsure what I should be trying now. I don't want to mess with the
system too much because I'm still learning how it works, but if
anybody could point out an oversight I've made (or even a total
misunderstanding!), I would be grateful.
Thanks for your time,
Aneurin Price
Aneurin Price
2007-Sep-12 15:50 UTC
[Logcheck-users] [Resolved]Difficulty filtering security event
Replying to myself for the benefit of anybody coming via Google (as I found at least a couple of unanswered posts describing the same issue), a brief - and more to the point - description of the problem: Some log entries trigger security events matching patterns in "/etc/logcheck/violations.d/logcheck", and it doesn't seem possible to ignore them with entries in "/etc/logcheck/violations.ignore.d/<some-file>". According to README.logcheck-database, "The solution is to use a file named in the specially-privileged ./logcheck-<packagename> format: "/etc/logcheck/violations.ignore.d/logcheck-fooserver". This can contain patterns provided by that particular package which nonetheless need to take precedence over the generic rules." Perplexingly, adding an entry to "/etc/logcheck/violations.ignore.d/logcheck-postfix" appeared to have no effect. However, the document continues with, "./local or ./local-<packagename> Sysadmins can use the "local-*" filenames to create their own additions to the "logcheck-*" pattern lists." Adding the filter rule to "/etc/violations.ignore.d/local-postfix" did indeed work as expected. Thanks, Aneurin Price