Package: logcheck Version: 1.2.39 Hello
i change the rules but logcheck seems to ignore them One example: REPORTLEVEL="server" logcheck send mails containing: Security Events =-=-=-=-=-=-=-= Jul 10 09:11:53 machine ipop3ds[10304]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] Jul 9 14:09:56 machine ipop3ds[4934]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] i don't want to see those messages (currently) So i added a new rule to ipopd-ssl [20:22:44]machine:/etc/logcheck/ignore.d.server# grep AUTH * ipopd-ssl:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*.dip0.t-ipconnect.de \[84\.141\..*\] logcheck.dpkg-old:authsrv.*AUTHENTICATE (BTW: Wouldn't it be better to add an entire new file?) If i test the rule file with that: /etc/logcheck/ignore.d.server# egrep -f ipopd-ssl /var/log/syslog i exactly get the lines i don't want to see in logcheck output, so i assume that rule is OK. As there is the "magical" word "failure" i have to add that rule to violations.ignore too, or? [20:23:22]machine:/etc/logcheck/violations.ignore.d# grep AUTH * logcheck-ipop3:ipop3ds\[.*\]: AUTHENTICATE CRAM-MD5 failure host=p.*\.dip0\.t-ipconnect\.de \[84\.141\..*\] /etc/logcheck/violations.ignore.d# egrep -f logcheck-ipop3 /var/log/syslog gves Jul 9 11:31:21 machine ipop3ds[29588]: AUTHENTICATE CRAM-MD5 failure host=p548D1585.dip0.t-ipconnect.de [84.141.21.133] So i assume the rules are right, or? But why are they ignored by logcheck? I meanwhile have the feeling that logcheck is using entire other rule files than i edit (box root kitted?) Is there a way to debug logcheck? "-d" seems to give only a hints to program flow but seems to be only a "one shot" so i can't debug the rules effective. Isn't there somewhere a tool (bayes?) where i can feed the "unwanted" lines to which in future are ignored by logcheck? (Like "tiger" does which only reports changes/new lines) Currently the "optimization" of the rule set took several weeks(!) as i have to wait hours to veryfy the trivialest change. What's the intended way to debug rules sets? Why does the "egrep" trick can't be used to verify the rules? (What is logcheck adding to the rules to make them fail?) How can i verify which rules files logcheck really uses? Where are the used rules (files that contens) logged? How can i run "logcheck" repetely to debug? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
