On Tue, Dec 09, 2008 at 10:36:51AM +0100, Gerfried Fuchs wrote: ... > ignore.d.server rules won't filter out security events. I guess it's > matched as such because of the contained /failure/ in the line. I'm not > completely sure if this should be filtered out, but a matching rule for > that has to live below violations.ignore.d - and there is the > logcheck-smartd file in there which as far as I can see should match ...
ah, I see ... > > so the patterns in /etc.../smartd do match and logcheck run should end up > > with no such lines. > > Can you egrep -v -f /etc/logcheck/ignore.d.server/smartd instead and you mean violations.ignore.d/logcheck-smartd ? but I see the problem: the regex is ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ smartd... which is fine for stock sysklogd, but socklog's format is eg /var/log/socklog/main/current auth.info: Dec 9 02:39:01 CRON[31998]: (pam_unix) session closed for user root and /var/log/socklog-klog/main/current 2008-12-03_16:50:42.17649 kern.warn: ide: failed opcode was: unknown ... 2008-12-08_17:44:58.45722 kern.warn: nfsd: unexporting all filesystems [and a nice broken logline eg] 2008-12-08_17:47:19.33831 nterface driver usbfs 2008-12-08_17:47:19.43500 kern.info: usbcore: registered new interface driver hub ... so regex should be changed to \w{3} [ :0-9]{11} ([._[:alnum:]-]+ )?smartd... to match (also) socklog/*/* lines, while for socklog-klog the regex could be kern\.[a-z]+: While I did change patterns in ignore.d.server/*, I overlooked those in violations.ignore.d/* :-} Changing those as well I get 0 output from: # grep Prefail /var/log/socklog/main/current |\ # egrep -v -f /etc/logcheck/violations.ignore.d/logcheck-smartd so that'd work. thanks -- paolo GPG/PGP id:0x3A47DE45 - B5F9 AAA0 44BD 2B63 81E0 971F C6C0 0B87 3A47 DE45 - 9/11: the outrageous deception & coverup: http://journalof911studies.com - _______________________________________________ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel