Re: logcheck
On Sat, Oct 18, 2003 at 03:39:41PM -0700, Ross Boylan wrote:
> On Sat, Oct 18, 2003 at 11:18:17PM +0200, Rudy Gevaert wrote:
> > On Sat, Oct 18, 2003 at 11:52:15AM +0200, Sven Hoexter wrote:
> >
> > > > I find the documentation of logcheck to confusing.
>
> Me too. I just spent a lot of time staring at the source and
> submitted a patch with much expanded documentation: see bug 215640.
I've browsed it, I'll have a look at it asap.
> Are you saying the messages are getting flagged despite the above
> setttings?
Yes.
> That might also happen if some other patterns in
> cracking.d or violations.d are picking them out. In particular, if
> logcheck (the pattern file, not the program) is picking them out, you
> need to disable it with logcheck-postfix or a local or local-* file
> (logcheck-postfix will only ignore patterns found for the "logcheck"
> file, while local* affects everything.
No entries in cracking.d and no relevant ones in violantions.
I now have this:
schamper:/etc/logcheck# grep -r postfix *
ignore.d/postfix:postfix.*
ignore.d.paranoid/postfix:postfix.*
ignore.d.server/postfix:postfix.*
ignore.d.workstation/postfix:postfix.*
That are the only files that have someting about postfix in them.
Every file has postfix.* in it.
>
> What severity are your error reports, i.e., what is the message before
> the section in which they appear? That indicates whether they are
> from a pattern in cracking.d ("Security Alerts"), violations.d
> ("Security Violations"), or just the residual unrecognized "System
> Events".
The severity is 'Possible Security Violations': e.g.:
Oct 18 16:21:56 schamper postfix/cleanup[18573]: 0C40D5150: reject: header Subject: dont dare to intimate bcos of ur bro too little? oboebefell; from=<uvhuxj@cybergate.com> to=<annelies@schamper.rug.ac.be>: SecuritySage SPAM-ID: h20030701-45001 Your email had spam-like header contents. To report this message as non-spam, please follow the instructions available at http://www.securitysage.com/spam.html
Because I put "postfix.*" in those files, it should discard everything
of postfix, right?
Thanks in advance
--
Rudy Gevaert rudy@zeus.UGent.be
Web page http://www.webworm.org
Schamper sysadmin http://www.schamper.ugent.be
GNU/Linux user and Savannah hacker http://savannah.gnu.org
Friends may come and go, but enemies accumulate. - Thomas Jones
Reply to:
- Follow-Ups:
- Re: logcheck
- From: Ross Boylan <RossBoylan@stanfordalumni.org>