logcheck not filtering out postfix/policy-spf lines
I'm really stumped on this. I've set up plenty of other custom rules for logcheck and they are all working fine, but for some reason it will not filter out 'postfix/policy-spf' lines. Even if I add ^.*$ to match everything. Here are some sample lines (I Xd out some of the info):
Code:
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net Code:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from:.*$ I did some searching on google and there was a bug report on it (keep going to the next in thread to see it) that the person solved by reinstalling logcheck. I tried that doing both a regular remove and remove --purge and that didn't fix it. I've even tried simply ^.*postfix/policy-spf.*$ which works if I use egrep but logcheck doesn't filter them out. Does anyone know how to display all characters in a file (carriage returns, spaces, line breaks, etc). Maybe there's some weird line ending or something that logcheck doesn't understand |
d'oh figured it out. Those were showing up in logcheck as security events. So a quick look at the man page revealed that there is violations.d/ directory. If something matches that list (view the logcheck file and you'll notice it's rather vague) it will show up unless it's filtered in the violations.ignore.d/ directory somewhere. One of the lines in violations.d/logcheck is 'permitted'. Notice how those lines have sender_permitted_from? So logcheck saw the permitted and flagged it as a security log message. So I just copied the rules over to a file called /etc/logcheck/violations.ignore.d/local and it works fine now.
|
All times are GMT -5. The time now is 11:39 PM. |