Re: logcheck

To: Rudy Gevaert <rudy@zeus.UGent.be>, debian-user@lists.debian.org
Cc: Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: Re: logcheck
From: Ross Boylan <RossBoylan@stanfordalumni.org>
Date: Sat, 18 Oct 2003 15:39:41 -0700
Message-id: <[🔎] 20031018223941.GM1574@wheat.boylan.org>
Mail-followup-to: Rudy Gevaert <rudy@zeus.UGent.be>, debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
In-reply-to: <[🔎] 20031018211817.GA29292@zeus.UGent.be>
References: <[🔎] 20031018082058.GA14993@zeus.UGent.be> <[🔎] 20031018095215.GB1352@sven.home.hoaxter.de> <[🔎] 20031018211817.GA29292@zeus.UGent.be>

On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> 
> > > I find the documentation of logcheck to confusing.

Me too.  I just spent a lot of time staring at the source and
submitted a patch with much expanded documentation: see bug 215640.

> > You just need to add the pattern you would like to have ignored
> > to the *.ignore files. That's all.
> 
> schamper:/etc/logcheck# grep -r postfix  *
> ignore.d/postfix:postfix
> ignore.d.paranoid/postfix:postfix/pickup\[.*\]: .*: uid=.* from=
> ignore.d.paranoid/postfix:postfix/cleanup\[.*\]: .*: .*message-id=
> ignore.d.paranoid/postfix:postfix/qmgr\[.*\]: .*: from=
> ignore.d.paranoid/postfix:postfix/smtp\[.*\]: .*: to=.*, relay=
> ignore.d.paranoid/postfix:postfix/smtpd\[.*\]: .*: client=
> ignore.d.paranoid/postfix:postfix/smtpd\[.*\]: disconnect from
> ignore.d.paranoid/postfix:postfix/local\[.*\]: .*: to=.*, relay=
> ignore.d.paranoid/postfix:postfix.*alias database.*rebuilt
> ignore.d.paranoid/postfix:postfix.*aliases.*longest
> ignore.d.paranoid/postfix:postfix.*from=
> ignore.d.paranoid/postfix:postfix.*lost input channel
> ignore.d.paranoid/postfix:postfix.*message-id=
> ignore.d.paranoid/postfix:postfix.*putoutmsg
> ignore.d.paranoid/postfix:postfix.*status=
> ignore.d.paranoid/postfix:postfix.*timeout waiting
> ignore.d.server/postfix:postfix
> ignore.d.workstation/postfix:postfix
> 
> As I'm using the server setup (ignore.d links to ignore.d.server) , I should think that

That is not the current setup for logcheck.  The rules are:
always use ignore.d and ignore.d.paranoid
if server, also use ignore.d.server
if workstation also use ignore.d.workstation (+ ignore.d.server + the
rest)

Symlinks are not only unnecessary but hazardous, since the program
tends to ignore them.  This might be your problem.

Are you saying the messages are getting flagged despite the above
setttings?  That might also happen if some other patterns in
cracking.d or violations.d are picking them out.  In particular, if
logcheck (the pattern file, not the program) is picking them out, you
need to disable it with logcheck-postfix or a local or local-* file
(logcheck-postfix will only ignore patterns found for the "logcheck"
file, while local* affects everything.

What severity are your error reports, i.e., what is the message before
the section in which they appear?  That indicates whether they are
from a pattern in cracking.d ("Security Alerts"), violations.d
("Security Violations"), or just the residual unrecognized "System
Events".

> the entry "postfix" in the file ignore.d.server/postfix would be
> enough...
> 
> I still get logcheck entries from logcheck.
> 
> Any clues?
>

Reply to:

Follow-Ups:
- Re: logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>

References:
- logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>
- Re: logcheck
  - From: Sven Hoexter <sven@timegate.de>
- Re: logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>

Prev by Date: Re: cdrecord problem recording audio CD
Next by Date: [OT] is swen evoluting ?
Previous by thread: Re: logcheck
Next by thread: Re: logcheck
Index(es):
- Date
- Thread