'[Logcheck-devel] Bug#340226: logcheck does not succeessfully filter'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       logcheck-devel
Subject:    [Logcheck-devel] Bug#340226: logcheck does not succeessfully filter
From:       Lia Treffman <ltreffman () optivel ! com>
Date:       2005-11-21 21:57:26
Message-ID: 438242C6.1000900 () optivel ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Package: logcheck
Version: 1.2.39

I am using Linux smtp 2.6.8-2-686-smp and libc6 2.3.2.ds1-22.

I am running logcheck on a server named smtp, and I would like to filter
all lines in /var/log/syslog matching the following expressions:

Nov 21 19:29:13 smtp postfix/policy-spf[1429]: blah blah blah
Nov 21 19:23:01 smtp amavis[31328]: blah blah blah

I have a file called 'noise':

smtp postfix/policy-spf.*$
smtp amavis.*$

When I run 'grep -f noise /var/log/syslog', I get the expected result. 
For convenience, I have attached 'noise' and 'sample_syslog', which is a
sterilized segment of our /var/log/syslog.

I have tried running logcheck with 'noise' in the following directories:
/etc/logcheck/ignore.d -> ignore.d.server
/etc/logcheck/violations.ignore.d
/etc/logcheck/cracking.ignore.d

I have also tried putting the text of 'noise' in the following files:
/etc/logcheck/ignore.d/postfix or amavis (as appropriate)
/etc/logcheck/violations.ignore.d/logcheck-postfix or logcheck-amavis
(as appropriate)

All of the postfix/policy-spf and amavis records appear in the email. I
have also tried it with the '^\w{3} [ :0-9]{11} [._[:alnum:]-]+' lead-in
to the regex and it doesn't make a difference.

There are other regexes in /etc/logcheck/ignore.d files which also do
not filter as they are supposed to.  However, the postfix/policy-spf and
amavis are the most problematic.

Thank you for your time and assistance in this matter.

Sincerely,

Lia M. Treffman






-- 
Lia Treffman Optivel, Inc. 317-275-2304
Network Systems Developer / DBA Sorcerer's Apprentice ltreffman@optivel.com http://www.optivel.com


["logcheck.conf" (text/plain)]

# The following variable settings are the initial default values,
# which can be uncommented and modified to alter logcheck's behaviour

# Controls the format of date-/time-stamps in subject lines:
# Alternatively, set the format to suit your locale

#DATE="$(date +'%Y-%m-%d %H:%M')"

#
# Controls the presence of boilerplate at the top of each message:
# Alternatively, set to "0" to disable the introduction.
#
# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
# are present their contents will be read and used as the header and
# footer of any generated mails.
#
#INTRO=1

# Controls the level of filtering: 
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.

REPORTLEVEL="server"

# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "emailaddress@some.domain.tld"

SENDMAILTO="root"

# Should the hostname of the generated mails be fully qualified?
FQDN=1

# Controls whether "sort -u" is used on log entries (which will
# eliminate duplicates but destroy the original ordering); the
# default is to use "sort -k 1,3 -s":
# Alternatively, set to "1" to enable unique sorting

#SORTUNIQ=0

# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
# exceptions to the rules in /etc/logcheck/cracking.d:
# Alternatively, set to "1" to enable cracking.ignore support

#SUPPORT_CRACKING_IGNORE=0

# Controls the base directory for rules file location
# This must be an absolute path

#RULEDIR="/etc/logcheck"

# Controls if syslog-summary is run over each section.
# Alternatively, set to "1" to enable extra summary.

#SYSLOGSUMMARY=0

# Controls Subject: lines on logcheck reports:

#ATTACKSUBJECT="Attack Alerts"
#SECURITYSUBJECT="Security Events"
#EVENTSSUBJECT="System Events"

# Controls [logcheck] prefix on Subject: lines

# ADDTAG="no"

["sample_syslog" (text/plain)]

Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: \
                client_address=111.111.111.111
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: client_name=mail.blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: helo_name=mail.blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: instance=65e8.4381d718.0
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: protocol_name=ESMTP
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: protocol_state=RCPT
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: queue_id=
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: recipient=blah@blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: \
                request=smtpd_access_policy
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: sender=blah@blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: size=353
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: : testing: stripped \
                sender=blah@blah.com, stripped rcpt=blah@blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: handler testing: DUNNO
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: : SPF pass: smtp_comment=Please see \
http://spf.pobox.com/why.html?sender=blah%40blah.com&ip==111.111.111.111&receiver=smtp: \
blah.com MX mail.blah.com A =111.111.111.111, header_comment=smtp: domain of \
                blah@blah.com designates =111.111.111.111 as permitted sender
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: handler sender_permitted_from: DUNNO
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: decided action=DUNNO
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) ESMTP::10024 \
/var/lib/amavis/amavis-20051121T134300-25110: <blah@blah.com> -> \
<blah@blah.com>,<archive@smtp.blah.com> Received: SIZE=12730 from smtp.blah.com \
([127.0.0.1]) by localhost (smtp.blah.com [127.0.0.1]) (amavisd-new, port 10024) with \
                ESMTP id 25110-07; Mon, 21 Nov 2005 14:18:03 +0000 (UTC)
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) Checking: <blah@blah.com> -> \
                <blah@blah.com>,<archive@smtp.blah.com>
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) spam_scan: hits=-2.374 \
                tests=AWL,BAYES_00,HTML_MESSAGE,SPF_PASS
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) FWD via SMTP: [127.0.0.1]:10025 \
                <blah@blah.com> -> <blah@blah.com>,<archive@smtp.blah.com>
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) Passed, <blah@blah.com> -> \
<blah@blah.com>,<archive@smtp.blah.com>, Message-ID: \
                <OF9F5848CC.FE3635A9-ON052570C0.004E78D1-052570C0.004E85AF@blah.com>, \
                Hits: -2.374
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) TIMING [total 659 ms] - SMTP EHLO: 1 \
(0%), SMTP pre-MAIL: 0 (0%), SMTP pre-DATA-flush: 2 (0%), SMTP DATA: 80 (12%), body \
hash: 0 (0%), mime_decode: 41 (6%), get-file-type: 17 (3%), get-file-type: 10 (2%), \
get-file-type: 10 (1%), get-file-type: 10 (2%), get-file-type: 10 (2%), \
get-file-type: 10 (2%), get-file-type: 11 (2%), decompose_part: 2 (0%), \
decompose_part: 0 (0%), decompose_part: 0 (0%), decompose_part: 0 (0%), \
decompose_part: 0 (0%), decompose_part: 0 (0%), decompose_part: 0 (0%), parts: 0 \
(0%), AV-scan-1: 13 (2%), SA msg read: 2 (0%), SA parse: 3 (1%), SA check: 375 (57%), \
fwd-connect: 5 (1%), fwd-mail-from: 1 (0%), fwd-rcpt-to: 2 (0%), write-header: 2 \
(0%), fwd-data: 1 (0%), fwd-data-end: 43 (6%), fwd-rundown: 1 (0%), unlink-7-files: 4 \
                (1%), rundown: 1 (0%)
Nov 21 14:21:52 smtp postfix/smtpd[26177]: NOQUEUE: filter: RCPT from \
lyris.blah.com[=111.111.111.111]: <blah@blah.com>: Recipient address triggers FILTER \
smtp-amavis:[127.0.0.1]:10024; from=<bounce-oracle-db-l-5903891@groups.blah.com> \
                to=<blah@blah.com> proto=SMTP helo=<blah.com>
Nov 21 14:21:52 smtp postfix/smtpd[26175]: NOQUEUE: filter: RCPT from \
lyris.blah.com[=111.111.111.111]: <blah@blah.com>: Recipient address triggers FILTER \
smtp-amavis:[127.0.0.1]:10024; from=<bounce-oracle-db-l-5903891@groups.blah.com> \
                to=<blah@blah.com> proto=SMTP helo=<blah.com>
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: \
                client_address==111.111.111.111
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: client_name=lyris.blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: helo_name=blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: instance=6641.4381d800.0
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: protocol_name=SMTP
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: protocol_state=RCPT
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: queue_id=
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: recipient=blah@blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: \
                request=smtpd_access_policy
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: \
                sender=bounce-oracle-db-l-5903891@groups.blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: size=0
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: : testing: stripped \
                sender=bounce@groups.blah.com, stripped rcpt=blah@blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: handler testing: DUNNO
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: \
                client_address==111.111.111.111
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: client_name=lyris.blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: helo_name=blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: instance=663f.4381d800.0
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: protocol_name=SMTP
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: protocol_state=RCPT
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: queue_id=
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: recipient=blah@blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: \
                request=smtpd_access_policy
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: \
                sender=bounce-oracle-db-l-5903891@groups.blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: size=0
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: : testing: stripped \
                sender=bounce@groups.blah.com, stripped rcpt=blah@blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: handler testing: DUNNO
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: : SPF none: smtp_comment=SPF: domain \
of send


["noise" (text/plain)]

smtp amavis.*
smtp postfix/policy-spf.*

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic