On Sat, Oct 18, 2003 at 03:39:41PM -0700, Ross Boylan wrote:
> On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> > On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> > > > I find the documentation of logcheck to confusing.
> Me too. I just spent a lot of time staring at the source and
> submitted a patch with much expanded documentation: see bug 215640.
I've browsed it, I'll have a look at it asap.
> Are you saying the messages are getting flagged despite the above
> That might also happen if some other patterns in
> cracking.d or violations.d are picking them out. In particular, if
> logcheck (the pattern file, not the program) is picking them out, you
> need to disable it with logcheck-postfix or a local or local-* file
> (logcheck-postfix will only ignore patterns found for the "logcheck"
> file, while local* affects everything.
No entries in cracking.d and no relevant ones in violantions.
I now have this:
schamper:/etc/logcheck# grep -r postfix *
That are the only files that have someting about postfix in them.
Every file has postfix.* in it.
> What severity are your error reports, i.e., what is the message before
> the section in which they appear? That indicates whether they are
> from a pattern in cracking.d ("Security Alerts"), violations.d
> ("Security Violations"), or just the residual unrecognized "System
The severity is 'Possible Security Violations': e.g.:
Oct 18 16:21:56 schamper postfix/cleanup: 0C40D5150: reject: header Subject: dont dare to intimate bcos of ur bro too little? oboebefell; from=<firstname.lastname@example.org> to=<email@example.com>: SecuritySage SPAM-ID: h20030701-45001 Your email had spam-like header contents. To report this message as non-spam, please follow the instructions available at http://www.securitysage.com/spam.html
Because I put "postfix.*" in those files, it should discard everything
of postfix, right?
Thanks in advance
Rudy Gevaert rudy@zeus.UGent.be
Web page http://www.webworm.org
Schamper sysadmin http://www.schamper.ugent.be
GNU/Linux user and Savannah hacker http://savannah.gnu.org
Friends may come and go, but enemies accumulate. - Thomas Jones
- Re: logcheck
- From: Ross Boylan <RossBoylan@stanfordalumni.org>