On Thu, Jul 06, 2006 at 11:02:25AM +0200, martin f krafft wrote:
> Okay, this confuses the hell out of me:
> 
>   [System Events]
>   Jul  6 10:48:23 seamus dovecot: pop3-login: Login: user=<[EMAIL 
> PROTECTED]>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, TLS
> 
> and here's the filter in ignore.d.server:
> 
>   ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: 
> user=<[EMAIL PROTECTED]:alnum:]]+>, 
> method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), 
> rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$
> 
> Also:
> 
> seamus:~> echo "Jul  6 10:48:23 seamus dovecot: pop3-login: Login: 
> user=<[EMAIL PROTECTED]>, method=PLAIN, rip=84.72.30.149, lip=213.203.238.82, 
> TLS" | egrep -c "^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: 
> (pop3|imap)-login: Login: user=<[EMAIL PROTECTED]:alnum:]]+>, 
> method=(PLAIN|plain|LOGIN|login|(CRAM|DIGEST)-MD5|(cram|digest)-md5), 
> rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+(, TLS)?$"                            
>               
> 1
indeed rule seems good.
 
> Yet, for every POP3 (or IMAP) login, I get a logcheck mail. What's
> going on?

did you check that the permissions of your rule file is ok?
does it get sourced when you run logcheck in debug mode.

-- 
maks

_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel

Reply via email to