this rule works for me:
.*did not issue MAIL\/EXPN\/VRFY\/ETRN during connection to MTA$
sample testing script in php:
<?php
$strings_to_check = array(
'should-be-excluded' => 'Jun 28 06:02:18
server sm-mta[7813]: k5RI2I6g007813: 23-52-175-62.user.auna.net
[62.175.52.23] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN
during connection to MTA',
'shouldnt-be-excluded' => 'Jun 28 06:02:18
server sm-mta[7813]: k5RI2I6g007813: 23-52-175-62.user.auna.net
[62.175.52.23] do not filter this one',
);
foreach ($strings_to_check as $expectation => $string) {
$result = 'checking: '.$string.'<br/>';
if (ereg('.*did not issue MAIL\/EXPN\/VRFY\/ETRN during connection
to MTA$', $string, $ereg_results)) {
(!strcmp('should-be-excluded', $expectation)) ? $result .=
'OK<br/>' : $result .= 'NOT OK<br/>';
}
echo $result;
}
?>
On 6/28/06, Neil Stockbridge <[EMAIL PROTECTED]> wrote:
this rule looks like it must match doesn't it?
.*did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
the only thing i can think of is trailing space (as Hadley already
said), escaping those slashes and maybe some of those spaces are really
tabs even though it seems unlikely.
does logcheck need the regex to match the whole line? does at least:
.*did.*not.*issue.*MAIL.*
work?
- neil
On Wed, 2006-06-28 at 09:17 +1200, Steve Holdoway wrote:
> 'cos it doesn't work!
>
> And I really don't understand why.
>
> Grrr.
>
> On Wed, 28 Jun 2006 08:30:35 +1200
> Carl Cerecke <[EMAIL PROTECTED]> wrote:
>
> > Why not just:
> >
> > .*did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
> >
> > Cheers,
> > Carl.
> >
> > On 28/06/06, Steve Holdoway <[EMAIL PROTECTED]> wrote:
> > > To preserve what's left of my sanity, can anyone help me with this
logcheck rule? To ignore messages like this,
> > >
> > > Jun 28 06:02:18 server sm-mta[7813]: k5RI2I6g007813:
23-52-175-62.user.auna.net [62.175.52.23] (may be forged) did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
> > >
> > > I added the following line to /etc/logcheck/ignore.d.server/sendmail:
> > >
> > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (sendmail|sm-(mta|msp|que))\[[0-9]+\]:
[[:alnum:]]+:.*did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA$
> > >
> > > ...and a couple of hours of variations on the theme. Can anyone point out
the glaring error???
> > >
> > > Cheers,
> > >
> > > Steve
> > >
--
Marek Kuziel | http://kuziel.info ([EMAIL PROTECTED])
Encode - Intelligent Web Solutions | http://encode.net.nz ([EMAIL PROTECTED])
phone: + 64 21 1727255 | icq: 139312685 | skype: vshivak
