logcheck not filtering out postfix/policy-spf lines

vrillusions · 04-11-2006, 02:12 PM

I'm really stumped on this. I've set up plenty of other custom rules for logcheck and they are all working fine, but for some reason it will not filter out 'postfix/policy-spf' lines. Even if I add ^.*$ to match everything. Here are some sample lines (I Xd out some of the info):

Code:

Apr 11 13:16:42 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXX@ktpmail.every1.net)
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXXXX@ktpmail.every1.net)

And the rules I currently have setup:

Code:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from: PREPEND Received-SPF: (none|pass|neutral) \(.*\)( is decisive\.|)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: decided action=PREPEND Received-SPF: (none|pass|neutral) \(.*\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler testing: DUNNO$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF (pass|neutral):.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : testing: stripped sender=.*, stripped rcpt=.*$

I have all my custom rules in a /etc/logcheck/ignore.d.server/local and all the other filters work fine. I ran logcheck in debugging mode and didn't see any errors. This on Debian 3.1 stable. Logcheck is v1.2.39.

I did some searching on google and there was a bug report on it (keep going to the next in thread to see it) that the person solved by reinstalling logcheck. I tried that doing both a regular remove and remove --purge and that didn't fix it. I've even tried simply ^.*postfix/policy-spf.*$ which works if I use egrep but logcheck doesn't filter them out. Does anyone know how to display all characters in a file (carriage returns, spaces, line breaks, etc). Maybe there's some weird line ending or something that logcheck doesn't understand

vrillusions · 04-12-2006, 10:33 AM

d'oh figured it out. Those were showing up in logcheck as security events. So a quick look at the man page revealed that there is violations.d/ directory. If something matches that list (view the logcheck file and you'll notice it's rather vague) it will show up unless it's filtered in the violations.ignore.d/ directory somewhere. One of the lines in violations.d/logcheck is 'permitted'. Notice how those lines have sender_permitted_from? So logcheck saw the permitted and flagged it as a security log message. So I just copied the rules over to a file called /etc/logcheck/violations.ignore.d/local and it works fine now.