Re: Logcheck entries

From: Ross Vandegrift (ross@willow.seitz.com)
Date: 12/19/01

Previous message: Patrick Morris: "Re: Logcheck entries"
In reply to: Stephen E. Hargrove: "Re: Logcheck entries"
Next in thread: David Chin: "Re: Logcheck entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Ross Vandegrift <ross@willow.seitz.com>
Date: Wed, 19 Dec 2001 14:44:58 -0500
To: focus-linux@securityfocus.com

> My logcheck.violations.ignore file contains only one line:
>
> stat=Deferred
>
> I can't seem to locate what this means.

It's filtering out sendmail notifications that a mail was deferred.

> However, I have one particular line that continually appears in my
> Security Violations section that I'd love to ignore. Any advice you
> can offer as to the above and what changes I need to make to ignore
> a given violation would be appreciated. (I'm assuming the format
> will be the same as the other .ignore file.)

You just match against syslog output.

Let's say you have a syslog line like:

Jan 3 11:34:57 willow named[236]: rcvd NOTIFY(55.106.207.in-addr.arpa, IN, SOA) from [207.106.55.189].1024

and for some reason logcheck is sending you this line. You almost
certainly don't care that your DNS server is updating it's zone
information (since, hey, it's supposed to do that). So the
following line in the proper file will cut it out:

named.*: rcvd NOTIFY(55.106.207.in-addr.arpa, IN, SOA) from [207.106.55.189].1024

A more general solution that would account for more domains
might look like this:

named.*: rcvd NOTIFY(.*, IN, SOA) from [.*

It's easy to get pretty sofisticated about what you filter and what
don't.

Ross Vandegrift
ross@willow.seitz.com

Previous message: Patrick Morris: "Re: Logcheck entries"
In reply to: Stephen E. Hargrove: "Re: Logcheck entries"
Next in thread: David Chin: "Re: Logcheck entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]