Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis

Lia Treffman Mon, 21 Nov 2005 14:18:13 -0800

Package: logcheck
Version: 1.2.39

I am using Linux smtp 2.6.8-2-686-smp and libc6 2.3.2.ds1-22.


I am running logcheck on a server named smtp, and I would like to filter
all lines in /var/log/syslog matching the following expressions:

Nov 21 19:29:13 smtp postfix/policy-spf[1429]: blah blah blah
Nov 21 19:23:01 smtp amavis[31328]: blah blah blah

I have a file called 'noise':

smtp postfix/policy-spf.*$
smtp amavis.*$

When I run 'grep -f noise /var/log/syslog', I get the expected result. 
For convenience, I have attached 'noise' and 'sample_syslog', which is a
sterilized segment of our /var/log/syslog.

I have tried running logcheck with 'noise' in the following directories:
/etc/logcheck/ignore.d -> ignore.d.server
/etc/logcheck/violations.ignore.d
/etc/logcheck/cracking.ignore.d

I have also tried putting the text of 'noise' in the following files:
/etc/logcheck/ignore.d/postfix or amavis (as appropriate)
/etc/logcheck/violations.ignore.d/logcheck-postfix or logcheck-amavis
(as appropriate)

All of the postfix/policy-spf and amavis records appear in the email. I
have also tried it with the '^\w{3} [ :0-9]{11} [._[:alnum:]-]+' lead-in
to the regex and it doesn't make a difference.

There are other regexes in /etc/logcheck/ignore.d files which also do
not filter as they are supposed to.  However, the postfix/policy-spf and
amavis are the most problematic.

Thank you for your time and assistance in this matter.

Sincerely,

Lia M. Treffman






-- 
Lia Treffman Optivel, Inc. 317-275-2304
Network Systems Developer / DBA Sorcerer's Apprentice [EMAIL PROTECTED] 
http://www.optivel.com

# The following variable settings are the initial default values,
# which can be uncommented and modified to alter logcheck's behaviour

# Controls the format of date-/time-stamps in subject lines:
# Alternatively, set the format to suit your locale

#DATE="$(date +'%Y-%m-%d %H:%M')"

#
# Controls the presence of boilerplate at the top of each message:
# Alternatively, set to "0" to disable the introduction.
#
# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
# are present their contents will be read and used as the header and
# footer of any generated mails.
#
#INTRO=1

# Controls the level of filtering: 
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.

REPORTLEVEL="server"

# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "[EMAIL PROTECTED]"

SENDMAILTO="root"

# Should the hostname of the generated mails be fully qualified?
FQDN=1

# Controls whether "sort -u" is used on log entries (which will
# eliminate duplicates but destroy the original ordering); the
# default is to use "sort -k 1,3 -s":
# Alternatively, set to "1" to enable unique sorting

#SORTUNIQ=0

# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
# exceptions to the rules in /etc/logcheck/cracking.d:
# Alternatively, set to "1" to enable cracking.ignore support

#SUPPORT_CRACKING_IGNORE=0

# Controls the base directory for rules file location
# This must be an absolute path

#RULEDIR="/etc/logcheck"

# Controls if syslog-summary is run over each section.
# Alternatively, set to "1" to enable extra summary.

#SYSLOGSUMMARY=0

# Controls Subject: lines on logcheck reports:

#ATTACKSUBJECT="Attack Alerts"
#SECURITYSUBJECT="Security Events"
#EVENTSSUBJECT="System Events"

# Controls [logcheck] prefix on Subject: lines

# ADDTAG="no"

Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: 
client_address=111.111.111.111
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: 
client_name=mail.blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: 
helo_name=mail.blah.com
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: 
instance=65e8.4381d718.0
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: protocol_name=ESMTP
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: protocol_state=RCPT
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: queue_id=
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: [EMAIL PROTECTED]
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: 
request=smtpd_access_policy
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: [EMAIL PROTECTED]
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: Attribute: size=353
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: : testing: stripped [EMAIL 
PROTECTED], stripped [EMAIL PROTECTED]
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: handler testing: DUNNO
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: : SPF pass: smtp_comment=Please 
see 
http://spf.pobox.com/why.html?sender=blah%40blah.com&ip==111.111.111.111&receiver=smtp:
 blah.com MX mail.blah.com A =111.111.111.111, header_comment=smtp: domain of 
[EMAIL PROTECTED] designates =111.111.111.111 as permitted sender
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: handler sender_permitted_from: 
DUNNO
Nov 21 14:18:03 smtp postfix/policy-spf[26095]: decided action=DUNNO
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) ESMTP::10024 
/var/lib/amavis/amavis-20051121T134300-25110: <[EMAIL PROTECTED]> -> <[EMAIL 
PROTECTED]>,<[EMAIL PROTECTED]> Received: SIZE=12730 from smtp.blah.com 
([127.0.0.1]) by localhost (smtp.blah.com [127.0.0.1]) (amavisd-new, port 
10024) with ESMTP id 25110-07; Mon, 21 Nov 2005 14:18:03 +0000 (UTC)
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) Checking: <[EMAIL PROTECTED]> -> 
<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) spam_scan: hits=-2.374 
tests=AWL,BAYES_00,HTML_MESSAGE,SPF_PASS
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) FWD via SMTP: [127.0.0.1]:10025 
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) Passed, <[EMAIL PROTECTED]> -> 
<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: 
-2.374
Nov 21 14:18:03 smtp amavis[25110]: (25110-07) TIMING [total 659 ms] - SMTP 
EHLO: 1 (0%), SMTP pre-MAIL: 0 (0%), SMTP pre-DATA-flush: 2 (0%), SMTP DATA: 80 
(12%), body hash: 0 (0%), mime_decode: 41 (6%), get-file-type: 17 (3%), 
get-file-type: 10 (2%), get-file-type: 10 (1%), get-file-type: 10 (2%), 
get-file-type: 10 (2%), get-file-type: 10 (2%), get-file-type: 11 (2%), 
decompose_part: 2 (0%), decompose_part: 0 (0%), decompose_part: 0 (0%), 
decompose_part: 0 (0%), decompose_part: 0 (0%), decompose_part: 0 (0%), 
decompose_part: 0 (0%), parts: 0 (0%), AV-scan-1: 13 (2%), SA msg read: 2 (0%), 
SA parse: 3 (1%), SA check: 375 (57%), fwd-connect: 5 (1%), fwd-mail-from: 1 
(0%), fwd-rcpt-to: 2 (0%), write-header: 2 (0%), fwd-data: 1 (0%), 
fwd-data-end: 43 (6%), fwd-rundown: 1 (0%), unlink-7-files: 4 (1%), rundown: 1 
(0%)
Nov 21 14:21:52 smtp postfix/smtpd[26177]: NOQUEUE: filter: RCPT from 
lyris.blah.com[=111.111.111.111]: <[EMAIL PROTECTED]>: Recipient address 
triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[EMAIL PROTECTED]> 
to=<[EMAIL PROTECTED]> proto=SMTP helo=<blah.com>
Nov 21 14:21:52 smtp postfix/smtpd[26175]: NOQUEUE: filter: RCPT from 
lyris.blah.com[=111.111.111.111]: <[EMAIL PROTECTED]>: Recipient address 
triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<[EMAIL PROTECTED]> 
to=<[EMAIL PROTECTED]> proto=SMTP helo=<blah.com>
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: 
client_address==111.111.111.111
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: 
client_name=lyris.blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: helo_name=blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: 
instance=6641.4381d800.0
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: protocol_name=SMTP
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: protocol_state=RCPT
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: queue_id=
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: [EMAIL PROTECTED]
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: 
request=smtpd_access_policy
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: [EMAIL PROTECTED]
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: Attribute: size=0
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: : testing: stripped [EMAIL 
PROTECTED], stripped [EMAIL PROTECTED]
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: handler testing: DUNNO
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: 
client_address==111.111.111.111
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: 
client_name=lyris.blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: helo_name=blah.com
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: 
instance=663f.4381d800.0
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: protocol_name=SMTP
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: protocol_state=RCPT
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: queue_id=
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: [EMAIL PROTECTED]
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: 
request=smtpd_access_policy
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: [EMAIL PROTECTED]
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: Attribute: size=0
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: : testing: stripped [EMAIL 
PROTECTED], stripped [EMAIL PROTECTED]
Nov 21 14:21:52 smtp postfix/policy-spf[26182]: handler testing: DUNNO
Nov 21 14:21:52 smtp postfix/policy-spf[26180]: : SPF none: smtp_comment=SPF: 
domain of send

smtp amavis.*
smtp postfix/policy-spf.*

signature.asc
Description: OpenPGP digital signature

Bug#340226: logcheck does not succeessfully filter postfix/policy-spf or amavis

Reply via email to