It turned out the the rule was fine, however for some reason the file wants to see a CR/LF at the end of the rule, even if it's the only rule.<br><br>Thanks,<br><br>Denis<br><br><div><span class="gmail_quote">On 11/1/07,
<b class="gmail_sendername">Ross Boylan</b> <<a href="mailto:ross@biostat.ucsf.edu">ross@biostat.ucsf.edu</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Thu, 2007-11-01 at 09:53 -0600, Denis Dimick wrote:<br>> I'm a newbe to logcheck and need some help writing a rule.<br>><br>> Here's the output I'm trying to block:<br>><br>> Nov 1 09:11:52 m0n0wall ipmon[79]: 09:11:
52.330133 xl0 @100:3 p<br>> <a href="http://192.168.2.201">192.168.2.201</a>,1900 -> <a href="http://239.255.255.250">239.255.255.250</a>,1900 PR udp len 20 291 K-S IN<br>><br>> And here's my rule in /etc/logcheck/violations.ignore.d/local-m0n0
<br>violations only refers to items caught by the "serious" filters.<br>Probably you should put the file in ignore.d.server or one of the other<br>ignore.d.* directories, depending on what level you think should have
<br>this filtered out.<br>><br>> ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]:<br>> [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0 @100:3 p<br>> 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR<br>
> udp le9n 20 291 K-S IN$<br>><br>> The rule is on one line in the single file (it's the only rule in the<br>> file)<br>><br>> I've tested it using:<br>><br>> sed -e 's/[[:space:]]*$//' /var/log/syslog | egrep '^\w{3} [ :0-9]{11}
<br>> m0n0wall ipmon\[[0-9]+\]: [0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{6} xl0<br>> @100:3 p 0-9]\.[0-9]\.[0-9]\.[0-9],1900 -><br>> [0-9]\.[0-9]\.[0-9]\.[0-9],1900 PR udp le9n 20 291 K-S IN$'<br>><br>> and it prints out the data I wish to block.
<br><br>> Anyone have any ideas?<br>><br>> Thanks,<br>><br>> Denis<br>><br>> _______________________________________________<br>> Logcheck-users mailing list<br>> <a href="mailto:Logcheck-users@lists.alioth.debian.org">
Logcheck-users@lists.alioth.debian.org</a><br>> <a href="http://lists.alioth.debian.org/mailman/listinfo/logcheck-users">http://lists.alioth.debian.org/mailman/listinfo/logcheck-users</a><br></blockquote></div><br>