Re: [cobalt-users] pafalertd and logsentry

[Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>]

> Gerald Waugh wrote:
>
> > On Friday 27 September 2002 17:13, Paul Warner wrote:
> > > > On Friday 27 September 2002 03:03 pm, Michael Gabriel wrote:
> > > > > im totally lost here
> > > > > i installed logsentry and killed most of the uninformative lines
via
> > > > > the ignore file
> > > > > for some reason i cant find a fitting regex to kill:
> > > > >
> > > > > swatch checking sendmail and imapd
> > > > > sendmail[5525]: NOQUEUE: localhost [127.0.0.1] did not issue
> > > > > MAIL/EXPN/VRFY/ETRN during connection to MTA
> > > > > imapd[6125]: Logout user=??? host=localhost [127.0.0.1]
> > > >
> > > > sendmail.*NOQUEUE.*localhost
> > >
> > > This does not work...I'm guessing (with the very limited docs) that
the
> > > .violations file containing EXPN and VRFY is why the filter doesn't
> > > work...anyone know more about the function of the logcheck.violations
and
> > > logcheck.violations.ignore files?
> > >

Some more messing with this and here are my humble findings:

Anything in the Security Violations is matching the (duh)
logcheck.violations where the strings above are catching these entries.
Adding the following to the logcheck.violations.ignore removed them:

sendmail.*NOQUEUE.*localhost

Gerald's suggestion *was* working, just on the Unusual Events, not Security
Violations.  Certainly a little documentation on the LogSentry/LogCheck
would go a long way.  The way I understand it, if one or more expressions in
logcheck.violations match AND do NOT match logcheck.violations.ignore then
the entry is included in the mail as a Security Violation.  Independent of
the above, if an line does NOT match logcheck.ignore it is included as an
Unusual Event.

-- Paul (who has had enough regexp for the day!)