LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   logcheck not filtering out postfix/policy-spf lines (http://www.linuxquestions.org/questions/linux-software-2/logcheck-not-filtering-out-postfix-policy-spf-lines-434169/)

vrillusions 04-11-2006 02:12 PM

logcheck not filtering out postfix/policy-spf lines
 
I'm really stumped on this. I've set up plenty of other custom rules for logcheck and they are all working fine, but for some reason it will not filter out 'postfix/policy-spf' lines. Even if I add ^.*$ to match everything. Here are some sample lines (I Xd out some of the info):
Code:

Apr 11 13:16:42 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXX@ktpmail.every1.net)
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXXXX@ktpmail.every1.net)

And the rules I currently have setup:
Code:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from: PREPEND Received-SPF: (none|pass|neutral) \(.*\)( is decisive\.|)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: decided action=PREPEND Received-SPF: (none|pass|neutral) \(.*\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler testing: DUNNO$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF (pass|neutral):.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : testing: stripped sender=.*, stripped rcpt=.*$

I have all my custom rules in a /etc/logcheck/ignore.d.server/local and all the other filters work fine. I ran logcheck in debugging mode and didn't see any errors. This on Debian 3.1 stable. Logcheck is v1.2.39.

I did some searching on google and there was a bug report on it (keep going to the next in thread to see it) that the person solved by reinstalling logcheck. I tried that doing both a regular remove and remove --purge and that didn't fix it. I've even tried simply ^.*postfix/policy-spf.*$ which works if I use egrep but logcheck doesn't filter them out. Does anyone know how to display all characters in a file (carriage returns, spaces, line breaks, etc). Maybe there's some weird line ending or something that logcheck doesn't understand

vrillusions 04-12-2006 10:33 AM

d'oh figured it out. Those were showing up in logcheck as security events. So a quick look at the man page revealed that there is violations.d/ directory. If something matches that list (view the logcheck file and you'll notice it's rather vague) it will show up unless it's filtered in the violations.ignore.d/ directory somewhere. One of the lines in violations.d/logcheck is 'permitted'. Notice how those lines have sender_permitted_from? So logcheck saw the permitted and flagged it as a security log message. So I just copied the rules over to a file called /etc/logcheck/violations.ignore.d/local and it works fine now.


All times are GMT -5. The time now is 05:50 AM.