[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: logcheck

On Sat, Oct 18, 2003 at 03:39:41PM -0700, Ross Boylan wrote:
> On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> > On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> > 
> > > > I find the documentation of logcheck to confusing.
> Me too.  I just spent a lot of time staring at the source and
> submitted a patch with much expanded documentation: see bug 215640.

I've browsed it, I'll have a look at it asap.

> Are you saying the messages are getting flagged despite the above
> setttings?  


> That might also happen if some other patterns in
> cracking.d or violations.d are picking them out.  In particular, if
> logcheck (the pattern file, not the program) is picking them out, you
> need to disable it with logcheck-postfix or a local or local-* file
> (logcheck-postfix will only ignore patterns found for the "logcheck"
> file, while local* affects everything.

No entries in cracking.d and no relevant ones in violantions.

I now have this:
schamper:/etc/logcheck# grep -r postfix  *

That are the only files that have someting about postfix in them.

Every file has postfix.* in it.

> What severity are your error reports, i.e., what is the message before
> the section in which they appear?  That indicates whether they are
> from a pattern in cracking.d ("Security Alerts"), violations.d
> ("Security Violations"), or just the residual unrecognized "System
> Events".

The severity is 'Possible Security Violations':  e.g.:

Oct 18 16:21:56 schamper postfix/cleanup[18573]: 0C40D5150: reject: header Subject: dont dare to intimate bcos of ur bro too little? oboebefell; from=<uvhuxj@cybergate.com> to=<annelies@schamper.rug.ac.be>: SecuritySage SPAM-ID: h20030701-45001 Your email had spam-like header contents. To report this message as non-spam, please follow the instructions available at http://www.securitysage.com/spam.html

Because I put "postfix.*" in those files, it should discard everything
of postfix, right?

Thanks in advance
Rudy Gevaert                rudy@zeus.UGent.be
Web page                    http://www.webworm.org
Schamper sysadmin           http://www.schamper.ugent.be
GNU/Linux user and Savannah hacker http://savannah.gnu.org
Friends may come and go, but enemies accumulate.  - Thomas Jones

Reply to: