RE: Logcheck amavisd-new and do_executable/do_unzip
> -----Original Message-----
> From: Fisher, Jason [mailto:JFisher@Huitt-Zollars.com]
> Sent: Tuesday, November 29, 2005 3:20 PM
> To: debian-user@lists.debian.org
> Subject: Logcheck amavisd-new and do_executable/do_unzip
>
> Hi all. I run a server that receives email using exim4 which
> in turn hands email off to amavisd-new for virus-scanning and
> spam-checking. I run logcheck which sends email highlighting
> specific entries from my various logs. Logcheck has a series
> of files named after each program which tell the logcheck
> program which messages to ignore. My problem is that I can't
> get logcheck to ignore amavisd-new's error messages about
> do_executable/do_unzip failing. It seems I don't understand
> the syntax correctly. Here is what I have tried in order to
> get the messages at the bottom excluded:
>
> amavis\[[0-9]+\]: +(\([-0-9]+\) +)?do_executable/do_unzip
>
> And
>
> amavis\[[0-9]+\]: +(\([-0-9]+\) +)?do_executable\/do_unzip
>
> Has anyone out there figured out what line to put in
> logcheck's amavisd-new file to get the messages below
> excluded from logcheck's report?
>
> Thanks
>
> Jason
>
>
> Security Events
> =-=-=-=-=-=-=-=
> Nov 29 14:02:04 linttrap amavis[18737]: (18737-03)
> do_executable/do_unzip failed, ignoring: format error: bad signature:
> 0x00905a4d at offset 0 in file
> /var/lib/amavis/tmp/amavis-20051129T140130-18737/parts/part-00003
>
>
I may have solved this myself. After closer inspection of the readme
files supplied with the logcheck package, I noticed where it said that
keywords will over-ride ignore filters. Further reading explained that
to over-ride keywords, you can create a file in
/etc/logcheck/violations.ignore.d/logcheck-(packagename). I created a
logcheck-amavisd-new file and added the line:
amavis\[[0-9]+\]: +(\([-0-9]+\) +)?do_executable\/do_unzip
from the amavisd-new file in/etc/logcheck/ignore.d.server/amavisd-new.
This seems to be working.
Perhaps this will be of help to someone else.
Jason
Reply to: