I'm really stumped on this. I've set up plenty of other custom rules for logcheck and they are all working fine, but for some reason it will not filter out 'postfix/policy-spf' lines. Even if I add ^.*$ to match everything. Here are some sample lines (I Xd out some of the info):
Code:
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXX@ktpmail.every1.net)
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:42 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: : SPF neutral: smtp_comment=Please see http://spf.pobox.com/why.html?sender=XXXXXX%40ktpmail.every1.net&ip=67.98.183.15&receiver=rikku.vrillusions.com, header_comment=rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXX@ktpmail.every1.net)
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: handler sender_permitted_from: PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXX@ktpmail.every1.net) is decisive.
Apr 11 13:16:44 rikku postfix/policy-spf[19106]: decided action=PREPEND Received-SPF: neutral (rikku.vrillusions.com: XXX.XXX.XXX.15 is neither permitted nor denied by domain of XXXXXXXXXX@ktpmail.every1.net)
And the rules I currently have setup:
Code:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from:.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler sender_permitted_from: PREPEND Received-SPF: (none|pass|neutral) \(.*\)( is decisive\.|)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: decided action=PREPEND Received-SPF: (none|pass|neutral) \(.*\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: handler testing: DUNNO$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : SPF (pass|neutral):.*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/policy-spf\[[0-9]+\]: : testing: stripped sender=.*, stripped rcpt=.*$
I have all my custom rules in a /etc/logcheck/ignore.d.server/local and all the other filters work fine. I ran logcheck in debugging mode and didn't see any errors. This on Debian 3.1 stable. Logcheck is v1.2.39.
I did some searching on google and there was a
bug report on it (keep going to the next in thread to see it) that the person solved by reinstalling logcheck. I tried that doing both a regular remove and remove --purge and that didn't fix it. I've even tried simply ^.*postfix/policy-spf.*$ which works if I use egrep but logcheck doesn't filter them out. Does anyone know how to display all characters in a file (carriage returns, spaces, line breaks, etc). Maybe there's some weird line ending or something that logcheck doesn't understand