[Logcheck-users] [Resolved]Difficulty filtering security event
Aneurin Price
aneurin.price at gmail.com
Wed Sep 12 15:50:29 UTC 2007
Replying to myself for the benefit of anybody coming via Google (as I
found at least a couple of unanswered posts describing the same
issue), a brief - and more to the point - description of the problem:
Some log entries trigger security events matching patterns in
"/etc/logcheck/violations.d/logcheck", and it doesn't seem possible to
ignore them with entries in
"/etc/logcheck/violations.ignore.d/<some-file>".
According to README.logcheck-database,
"The solution is to use a file named in the specially-privileged
./logcheck-<packagename> format:
"/etc/logcheck/violations.ignore.d/logcheck-fooserver".
This can contain patterns provided by that particular package
which nonetheless need to take precedence over the generic rules."
Perplexingly, adding an entry to
"/etc/logcheck/violations.ignore.d/logcheck-postfix" appeared to have
no effect.
However, the document continues with,
"./local or ./local-<packagename>
Sysadmins can use the "local-*" filenames to create their own
additions to the "logcheck-*" pattern lists."
Adding the filter rule to "/etc/violations.ignore.d/local-postfix" did
indeed work as expected.
Thanks,
Aneurin Price
More information about the Logcheck-users
mailing list