[Logcheck-devel] Rules

maks attems debian at sternwelten.at
Wed Jun 9 11:19:00 UTC 2004


hello michael,

On Wed, 09 Jun 2004, Michael Bakker wrote:

> why does /etc/logcheck/ignore.d.server/oidentd contain rules only for
> connections from localhost? I general ident lookups are made by
> irc-servers (usually !=localhost). I've changed this 2 rules to:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: \[.*\] Successful lookup

please no .* unless it's really needed, i assume a hostname fits
in aboves location please use [._[:alnum:]-]+ instead
also your rules are far too generic please close all your rules
with a '$' at the end.
that does mean to completly match a log line yes (- traling space).
 
> I'm using qmail (vpopmail) where I did create a rules file for in
> ignore.d.server directory:
> 
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ vpopmail\[[0-9]+\]: vchkpw: login success|^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [a-z]+\[[0-9]+\]

same goes here.
 
> Feel free to apply any of my changes.

please send us updates and we will merge them,
or you may want to post the "offending" messages
and we will work rules out of them.

anyways thanks for your report.
a++ maks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20040609/f8a7c6e6/attachment.pgp 


More information about the Logcheck-devel mailing list