Max Zimmermann | 16 Mar 21:08 2008

Problem with rules being 'ignored'

Hey there, sorry to bug you,

I've ran into a little problem conscerning a logcheck-rule I just wrote.

I use logcheck and logcheck-database on Debian Etch. When logcheck
reports me something I don't want it to, I normally write a rule to
match that logentry and put it in a file called my_rules in
/etc/logcheck/ignore.d.server/ ... that worked perfectly fine. Until
that rule:

Logcheck keeps reporting me that:

Security Events
=-=-=-=-=-=-=-=
Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
<220.231.197.4>: Helo command rejected: need fully-qualified hostname;
from=<lory9@...>
to=<diequeen@...> proto=ESMTP
helo=<220.231.197.4>

So I wrote this rule:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
[^[:space:]]+: Helo command rejected: need fully-qualified hostname;
from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$

And to test whether it works:

(Continue reading)

Almir Karic | 17 Mar 07:38 2008
Picon

Re: Problem with rules being 'ignored'

On Sun, Mar 16, 2008 at 9:08 PM, Max Zimmermann
<maxzimmermann@...> wrote:
> Hey there, sorry to bug you,
>
>  I've ran into a little problem conscerning a logcheck-rule I just wrote.
>
>  I use logcheck and logcheck-database on Debian Etch. When logcheck
>  reports me something I don't want it to, I normally write a rule to
>  match that logentry and put it in a file called my_rules in
>  /etc/logcheck/ignore.d.server/ ... that worked perfectly fine. Until
>  that rule:
>
>  Logcheck keeps reporting me that:
>
>  Security Events
>  =-=-=-=-=-=-=-=
>  Mar 16 15:45:48 uhweb64206 postfix/smtpd[21799]: NOQUEUE:
>  reject_warning: RCPT from unknown[220.231.197.4]: 504 5.5.2
>  <220.231.197.4>: Helo command rejected: need fully-qualified hostname;
>  from=<lory9@...>
to=<diequeen@...> proto=ESMTP
>  helo=<220.231.197.4>
>
>
>  So I wrote this rule:
>
>  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
>  NOQUEUE: reject_warning: RCPT from [^[:space:]]+: 504 5.5.2
>  [^[:space:]]+: Helo command rejected: need fully-qualified hostname;
>  from=[^[:space:]]+ to=[^[:space:]]+ proto=ESMTP helo=[^[:space:]]+$
(Continue reading)

Denis Dimick | 19 Mar 23:58 2008
Picon

End of search string question

How do I tell LogCheck that I don't care what's in the rest of the search string?

^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9:]{8}\.[0-9]{6} xl0 ( <at> 0:3| <at> 100:3) (b|p) 192\.168\.2\.[0-9]{1,3} -> [0-9.]{7,15} PR igmp len [0-9]{2} \([0-9]{2}+\) IN$
^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9:]{8}\.[0-9]{6} xl0 ( <at> 0:3| <at> 100:3) (b|p) 192\.168\.2\.[0-9]{1,3} -> [0-9.]{7,15} PR igmp len [0-9]{2} \([0-9]{2}+\) K-S IN$



As you can see the only diff with these two statements is the ending "IN$" and "K-S IN$"

If I could figure this out I know I could reduce the number of lines in my ignore.d.server/local file.

Thanks,

Denis

_______________________________________________
Logcheck-users mailing list
Logcheck-users@...
http://lists.alioth.debian.org/mailman/listinfo/logcheck-users
Frédéric Brière | 29 Mar 18:42 2008
Picon

Re: End of search string question

Denis Dimick <dgdimick@...> wrote:
> How do I tell LogCheck that I don't care what's in the rest of the search
> string?

You could either use ".*" to match anything, or leave off the "$"
end-of-string mark.

> ^\w{3} [ :0-9]{11} m0n0wall ipmon\[[0-9]+\]: [0-9:]{8}\.[0-9]{6} xl0 ( <at> 
> 0:3| <at> 100:3) (b|p) 192\.168\.2\.[0-9]{1,3} -> [0-9.]{7,15} PR igmp len
> [0-9]{2} \([0-9]{2}+\) K-S IN$
>
> As you can see the only diff with these two statements is the ending "IN$"
> and "K-S IN$"

In this particular case, it would be preferable to simply make the "K-S"
part optional:

 ... \([0-9]{2}+\) (K-S )?IN$

--

-- 
<maswan> Joy: Lets fork cat! :)
<maswan> Joy: imagine a big pitchfork and a dead kitten on top of
         it.. with blood running down..

Gmane