[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck

On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> > > I find the documentation of logcheck to confusing.

Me too.  I just spent a lot of time staring at the source and
submitted a patch with much expanded documentation: see bug 215640.

> > You just need to add the pattern you would like to have ignored
> > to the *.ignore files. That's all.
> schamper:/etc/logcheck# grep -r postfix  *
> ignore.d/postfix:postfix
> ignore.d.paranoid/postfix:postfix/pickup\[.*\]: .*: uid=.* from=
> ignore.d.paranoid/postfix:postfix/cleanup\[.*\]: .*: .*message-id=
> ignore.d.paranoid/postfix:postfix/qmgr\[.*\]: .*: from=
> ignore.d.paranoid/postfix:postfix/smtp\[.*\]: .*: to=.*, relay=
> ignore.d.paranoid/postfix:postfix/smtpd\[.*\]: .*: client=
> ignore.d.paranoid/postfix:postfix/smtpd\[.*\]: disconnect from
> ignore.d.paranoid/postfix:postfix/local\[.*\]: .*: to=.*, relay=
> ignore.d.paranoid/postfix:postfix.*alias database.*rebuilt
> ignore.d.paranoid/postfix:postfix.*aliases.*longest
> ignore.d.paranoid/postfix:postfix.*from=
> ignore.d.paranoid/postfix:postfix.*lost input channel
> ignore.d.paranoid/postfix:postfix.*message-id=
> ignore.d.paranoid/postfix:postfix.*putoutmsg
> ignore.d.paranoid/postfix:postfix.*status=
> ignore.d.paranoid/postfix:postfix.*timeout waiting
> ignore.d.server/postfix:postfix
> ignore.d.workstation/postfix:postfix
> As I'm using the server setup (ignore.d links to ignore.d.server) , I should think that

That is not the current setup for logcheck.  The rules are:
always use ignore.d and ignore.d.paranoid
if server, also use ignore.d.server
if workstation also use ignore.d.workstation (+ ignore.d.server + the

Symlinks are not only unnecessary but hazardous, since the program
tends to ignore them.  This might be your problem.

Are you saying the messages are getting flagged despite the above
setttings?  That might also happen if some other patterns in
cracking.d or violations.d are picking them out.  In particular, if
logcheck (the pattern file, not the program) is picking them out, you
need to disable it with logcheck-postfix or a local or local-* file
(logcheck-postfix will only ignore patterns found for the "logcheck"
file, while local* affects everything.

What severity are your error reports, i.e., what is the message before
the section in which they appear?  That indicates whether they are
from a pattern in cracking.d ("Security Alerts"), violations.d
("Security Violations"), or just the residual unrecognized "System

> the entry "postfix" in the file ignore.d.server/postfix would be
> enough...
> I still get logcheck entries from logcheck.
> Any clues?

Reply to: