Re: logcheck

To: Rudy Gevaert <rudy@zeus.UGent.be>, debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: Re: logcheck
From: Ross Boylan <RossBoylan@stanfordalumni.org>
Date: Sun, 19 Oct 2003 11:23:27 -0700
Message-id: <[🔎] 20031019182327.GP1574@wheat.boylan.org>
Mail-followup-to: Rudy Gevaert <rudy@zeus.UGent.be>, debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
In-reply-to: <[🔎] 20031019101201.GA8721@zeus.UGent.be>
References: <[🔎] 20031018082058.GA14993@zeus.UGent.be> <[🔎] 20031018095215.GB1352@sven.home.hoaxter.de> <[🔎] 20031018211817.GA29292@zeus.UGent.be> <[🔎] 20031018223941.GM1574@wheat.boylan.org> <[🔎] 20031019101201.GA8721@zeus.UGent.be>

On Sun, Oct 19, 2003 at 12:12:01PM +0200, Rudy Gevaert wrote:
> On Sat, Oct 18, 2003 at 03:39:41PM -0700, Ross Boylan wrote:
...
> > That might also happen if some other patterns in
> > cracking.d or violations.d are picking them out.  In particular, if
> > logcheck (the pattern file, not the program) is picking them out, you
> > need to disable it with logcheck-postfix or a local or local-* file
> > (logcheck-postfix will only ignore patterns found for the "logcheck"
> > file, while local* affects everything.
> 
> No entries in cracking.d and no relevant ones in violantions.

Look again.  The message below matches "reject" in
violations.d/logcheck.
It may match other strings as well.

You need an ignore.d/logcheck-postfix file, or local, or local-postfix.

> 
> I now have this:
> schamper:/etc/logcheck# grep -r postfix  *
> ignore.d/postfix:postfix.*
> ignore.d.paranoid/postfix:postfix.*
> ignore.d.server/postfix:postfix.*
> ignore.d.workstation/postfix:postfix.*

Only one of those should be necessary.  ignore.d and ignore.d.paranoid
are always checked; server checks ignore.d.server as well, and
workstation level checks all of them.
> 
> That are the only files that have someting about postfix in them.
> 
> Every file has postfix.* in it.
> 
> > 
> > What severity are your error reports, i.e., what is the message before
> > the section in which they appear?  That indicates whether they are
> > from a pattern in cracking.d ("Security Alerts"), violations.d
> > ("Security Violations"), or just the residual unrecognized "System
> > Events".
> 
> 
> The severity is 'Possible Security Violations':  e.g.:
> 
That means you've matched a pattern in violations.d

> Oct 18 16:21:56 schamper postfix/cleanup[18573]: 0C40D5150: reject: header Subject: dont dare to intimate bcos of ur bro too little? oboebefell; from=<uvhuxj@cybergate.com> to=<annelies@schamper.rug.ac.be>: SecuritySage SPAM-ID: h20030701-45001 Your email had spam-like header contents. To report this message as non-spam, please follow the instructions available at http://www.securitysage.com/spam.html
> 
> 
> Because I put "postfix.*" in those files, it should discard everything
> of postfix, right?

Nope.  A postfix file in one of the ignore.d directories has two
effects:
1) It cancels out (ignores) log lines that match violations.d/postfix
2) It ignores lines that would otherwise be treated as "System
Events", i.e., that are not reported by the cracking.d or violations.d
patterns.

Maybe I'll posted my extended man page here in a bit.  The rules are
byzantine.

> 
> Thanks in advance

Reply to:

Follow-Ups:
- Re: logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>

References:
- logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>
- Re: logcheck
  - From: Sven Hoexter <sven@timegate.de>
- Re: logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>
- Re: logcheck
  - From: Ross Boylan <RossBoylan@stanfordalumni.org>
- Re: logcheck
  - From: Rudy Gevaert <rudy@zeus.UGent.be>

Prev by Date: Re: defragmentation on M$ disc?
Next by Date: Re: Searching for an editor...
Previous by thread: Re: logcheck
Next by thread: Re: logcheck
Index(es):
- Date
- Thread