On Thu, Jul 06, 2006 at 11:02:25AM +0200, martin f krafft wrote:
> Okay, this confuses the hell out of me:
>
> [System Events]
> Jul 6 10:48:23 seamus dovecot: pop3-login: Login: user=<[EMAIL
> PROTECTED]>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, TLS
>
> and here's the filter in ignore.d.server:
>
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login:
> user=<[EMAIL PROTECTED]:alnum:]]+>,
> method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
> rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$
>
> Also:
>
> seamus:~> echo "Jul 6 10:48:23 seamus dovecot: pop3-login: Login:
> user=<[EMAIL PROTECTED]>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82,
> TLS" | egrep -c "^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot:
> (pop3|imap)-login: Login: user=<[EMAIL PROTECTED]:alnum:]]+>,
> method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5),
> rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$"
>
> 1
indeed rule seems good.
> Yet, for every POP3 (or IMAP) login, I get a logcheck mail. What's
> going on?
did you check that the permissions of your rule file is ok?
does it get sourced when you run logcheck in debug mode.
--
maks
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel