Re: Logcheck entries
From: Don Felgar (dfelgar@rainierinternet.com)Date: 12/20/01
- Previous message: Zow: "Re: loging user's commands"
- Maybe in reply to: Joshua Hager: "Logcheck entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Dec 2001 17:26:50 -0800 To: focus-linux@securityfocus.com From: Don Felgar <dfelgar@rainierinternet.com>
On Wed, Dec 19, 2001, Ross Vandegrift wrote:
>
> Let's say you have a syslog line like:
>
> Jan 3 11:34:57 willow named[236]: rcvd
NOTIFY(55.106.207.in-addr.arpa, IN,
SOA) from [207.106.55.189].1024
>
...
>
> A more general solution that would account for more domains
> might look like this:
>
> named.*: rcvd NOTIFY(.*, IN, SOA) from [.*
>
I think you will need to escape literal ('s and ['s.
In answer to someone else's question, page through
/usr/sbin/logcheck.sh and you'll see that the regex files are passed
directly to grep via the -f switch.
Note that (if memory serves) leaving a blank line in the ignore file
will effectively match everything, causing logcheck to filter all
messages.
- Previous message: Zow: "Re: loging user's commands"
- Maybe in reply to: Joshua Hager: "Logcheck entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
