[Logcheck-users] ignore.d.server rule not working?

Dathi Oxencroft dathi@appello.net
Wed, 20 Apr 2005 06:56:58 +1000 

--nextPart1786635.NlKMOn2eWV
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi

On Wed, 20 Apr 2005 02:10 am, Jon Foreman wrote:
> I'm running logcheck on Debian and it seems that a rule I have set in
> /etc/logcheck/ignore.d.server/postfix isn't working. When I test the
> rule on /var/log/syslog, I see a match. However, logcheck still sends me
> a report nonetheless.
>
> Are there certain circumstances where rules in ignore.d.server would be
> ignored?

Yes, when it's a security event. They are checked with a different ruleset.

Put your new exception in /etc/logcheck/violations.ignore.d/logcheck-postfix

Cheers,
Dathi

>
> Here is the rule in question:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtp\[[0-9]+\]:.* Recipient
> address rejected: Domain not found \(in reply to RCPT TO command\)\)
>
> Yet I'm still receiving messages from logcheck like so:
>
> Security Events
> =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
> Apr 19 08:48:44 mercury4 postfix/smtp[9758]: C9F75660034:
> to=3D<carol.lakey.hess@stanfordalumni.orgi>,
> orig_to=3D<carol.lakey.hess@stanfordalumni.orgi.>,
> relay=3Dmta.npr.org[172.16.10.176], delay=3D56757, status=3Ddeferred (host
> mta.npr.org[172.16.10.176] said: 450
> <carol.lakey.hess@stanfordalumni.orgi>: Recipient address rejected:
> Domain not found (in reply to RCPT TO command))
>
> Here is proof that my rule is matching such entries from
> /var/log/syslog:
>
> prompt: egrep "^\w{3} [ :0-9]{11} [._[:alnum:]-]+
> postfix/smtp\[[0-9]+\]:.* Recipient address rejected: Domain not found
> \(in reply to RCPT TO command\)\)" /var/log/syslog | grep carol.lakey |
> grep 08:48
>
> Apr 19 08:48:44 mercury4 postfix/smtp[9758]: C9F75660034:
> to=3D<carol.lakey.hess@stanfordalumni.orgi>,
> orig_to=3D<carol.lakey.hess@stanfordalumni.orgi.>,
> relay=3Dmailtransfer.npr.org[172.16.10.176], delay=3D56757, status=3Ddefe=
rred
> (host mailtransfer.npr.org[172.16.10.176] said: 450
> <carol.lakey.hess@stanfordalumni.orgi>: Recipient address rejected:
> Domain not found (in reply to RCPT TO command))
>
> Here is my logcheck.conf:
>
> # The following variable settings are the initial default values,
> # which can be uncommented and modified to alter logcheck's behaviour
>
> # Controls the format of date-/time-stamps in subject lines:
> # Alternatively, set the format to suit your locale
>
> #DATE=3D"$(date +'%Y-%m-%d %H:%M')"
>
> #
> # Controls the presence of boilerplate at the top of each message:
> # Alternatively, set to "0" to disable the introduction.
> #
> # If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
> # are present their contents will be read and used as the header and
> # footer of any generated mails.
> #
> #INTRO=3D1
>
> # Controls the level of filtering:
> # Can be Set to "workstation", "server" or "paranoid" for different
> # levels of filtering. Defaults to server if not set.
>
> REPORTLEVEL=3D"server"
>
> # Controls the address mail goes to:
> # *NOTE* the script does not set a default value for this variable!
> # Should be set to an offsite "emailaddress@some.domain.tld"
>
> SENDMAILTO=3D"servermail@npr.org"
>
> # Should the hostname of the generated mails be fully qualified?
> FQDN=3D1
>
> # Controls whether "sort -u" is used on log entries (which will
> # eliminate duplicates but destroy the original ordering); the
> # default is to use "sort -k 1,3 -s":
> # Alternatively, set to "1" to enable unique sorting
>
> #SORTUNIQ=3D0
>
> # Controls whether /etc/logcheck/cracking.ignore.d is scanned for
> # exceptions to the rules in /etc/logcheck/cracking.d:
> # Alternatively, set to "1" to enable cracking.ignore support
>
> #SUPPORT_CRACKING_IGNORE=3D0
>
> # Controls the base directory for rules file location
> # This must be an absolute path
>
> #RULEDIR=3D"/etc/logcheck"
>
> # Controls if syslog-summary is run over each section.
> # Alternatively, set to "1" to enable extra summary.
>
> #SYSLOGSUMMARY=3D0
>
> # Controls Subject: lines on logcheck reports:
>
> #ATTACKSUBJECT=3D"Attack Alerts"
> #SECURITYSUBJECT=3D"Security Events"
> #EVENTSSUBJECT=3D"System Events"
>
> # Controls [logcheck] prefix on Subject: lines
>
> # ADDTAG=3D"no"
>
> Here is my logcheck.logfiles file:
>
> # these files will be checked by logcheck
> # This has been tuned towards a default syslog install
> /var/log/syslog
> /var/log/auth.log
>
> Thanks,
>
> Jon
>
>
> _______________________________________________
> Logcheck-users mailing list
> Logcheck-users@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/logcheck-users

=2D-=20
o---------------- Dathi E Oxencroft ----- Australia ----------------:)
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 MCSA, MCP, CompTIA A+ Network+ Linux+
=A0If one learns from others but does not think, one will be bewildered
=A0If one thinks but does not learn from others, one will be in peril
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-Confucius
o--------- PGP key - http://www.appello.net/0x812A4FBB.txt ---------.)

--nextPart1786635.NlKMOn2eWV
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBCZXCgqoduTYEqT7sRAsYPAJwJoXBeWqzKjmKuIv2cQYgPEG2qGwCfYgLi
0lYoZu3ts5eJmRvWsQnDPxE=
=mfL1
-----END PGP SIGNATURE-----

--nextPart1786635.NlKMOn2eWV--