On Monday, 10.01.2005 at 17:00 +0000, Dave Ewart wrote: > On Monday, 10.01.2005 at 10:08 -0600, Rodney Richison wrote: > > > >>I guess I need help figuring out how to make logcheck quit reporting > > >>lines like this: > > >> > > >>Jan 10 08:07:25 deblists.rcrnet.net amavisd-new[11923]: (11923-03) > > >>Passed, <bounce-9309147-995167@lists.isp-lists.com> -> > > >><rodney@deblists.rcrnet.net>, Message-ID: > > >><19a9fd1705011006031d85ad89@mail.gmail.com>, Hits: -1.458 > > >> > > >>I don't want to know if something passed. amavis logs to > > >>/var/log/amavis.log and I told logcheck to monitor it, but I'm getting TO > > >>MUCH. I looked at the docs and was still unable to figure it out. > > >> > > >> > > > > > >Add the expression: > > > > > >amavisd-new.*Passed > > > > > >to the appropriate logcheck > > > > > > > > That's part of the problem. While > > http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html says > > add it to this file |/etc/logcheck/ignore.d.reportlevel/local it does > > not exist. However, there is a file in > > ||/etc/logcheck/ignore.d.reportlevel/amavisd-new I just now put this > > in it amavis\[[0-9]+\]: +(\([-0-9]+\) +)?Passed > > > > Sound reasonable? > > I guess so. Does it work? :-) (Off-list Rodney says this doesn't work - please keep replies on list) OK, it doesn't work because that expression won't match the line above. The regexp is looking for amavis followed by a process ID in brackets, you have amavisd-new. Try a simple expression to see if it excludes the messages, such as the one I suggested. Does putting amavisd-new.*Passed into /etc/logcheck/ignore.d.reportlevel/amavisd-new help? Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature