[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck configuration?


On Thu, Jun 28, 2007 at 01:54:28PM -0700, cls@truffula.sj.ca.us wrote:
> I want to use logcheck but it sends way too much
> trivia, mostly irrelevant postfix messages.
> I've tried adding regexes to
> /etc/logcheck/violations.ignore.d/logcheck-postfix

violations.ignore.d is for items in the "security" section of the
report, so if the lines aren't appearing there then no need.

> and /etc/logcheck//etc/logcheck/ignore.d.server/postfix
> and they match the messages I want to suppress,
> but they come through anyway. 

Are you 100% sure they match?  Have you confirmed this on the
command line with your regexp and egrep?

Are you 100% sure that some unrelated part of the line is not
matching another rule?  e.g. I have a host called "admin" and one of
the "violations" rules says that any line with "admin" in should go
in the potential security violations section.  Thus, all syslog
messages were reported by logcheck

> At this point I want to
> just drop all postfix-related messages.
> How to find the regular expression which causes
> the postfix lines to be *included* in the email barrage?

First verify that your rules really do match, to exclude.  If so
then you can manually use egrep with each file in violations.d and
your maillog to see which one makes them appear.


http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB

Attachment: signature.asc
Description: Digital signature

Reply to: