Hi!,
i'm starting with ossec on freebsd 6.2 machine.
but when ossec start, it sent mail every minute about log in maillog,
because MAIA+AMAVIS make a very extensive log,
and then match with rule 1002 and 1003.
in the rule 1003 i fix with big maxsize, but i don't think this a good
ideia.
<rule id="1002"
level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the
system.</description>
</rule>
<rule id="1003" level="13"
maxsize="20856">
<description>Non standard syslog message (size too
large).</description>
</rule>
how to make to fix this problem?
create a new rule?
exist one rule about it?
anybody has this rule or problem?
Received From: capitao->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Dec 14 08:16:28 capitao amavis[80589]: (80589-10) Maia: [read_system_config]
Bad header checking is ENABLED
Received From: capitao->/var/log/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Dec 14 08:16:04 capitao amavis[80635]: (80635-10) extra modules loaded:
/usr/local/etc/mail/spamassassin/FuzzyOcr.pm,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/autosplit.ix,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_any2n.al,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_n2dx.al,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_aton.al,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_n2d.al,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/autosplit.ix,
Crypt/Blowfish.pm, Crypt/CBC.pm, Error.pm, Mail/SPF.pm, Mail/SPF/Base.pm,
Mail/SPF/Exception.pm, Mail/SPF/MacroString.pm, Mail/SPF/Mech.pm,
Mail/SPF/Mech/A.pm, Mail/SPF/Mech/All.pm, Mail/SPF/Mech/Exists.pm,
Mail/SPF/Mech/IP4.pm, Mail/SPF/Mech/IP6.pm, Mail/SPF/Mech/Include.pm,
Mail/SPF/Mech/MX.pm, Mail/SPF/Mech/PTR.pm, Mail/SPF/Mod.pm,
Mail/SPF/Mod/Exp.pm, Mail/SPF/Mod/Redirect.pm, Mail/SPF/Record.pm,
Mail/SPF/Re
quest.pm, Mail/SPF/Result....
complete log:
mavis[80841]: (80841-08) extra modules loaded:
/usr/local/etc/mail/spamassassin/FuzzyOcr.pm,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/autosplit.ix,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/inet_any2n.al,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/Util/ipv6_aton.al,
/usr/local/lib/perl5/site_perl/5.8.8/mach/auto/NetAddr/IP/autosplit.ix,
Error.pm, Mail/SPF.pm, Mail/SPF/Base.pm, Mail/SPF/Exception.pm,
Mail/SPF/MacroString.pm, Mail/SPF/Record.pm, Mail/SPF/Request.pm,
Mail/SPF/Result.pm, Mail/SPF/Server.pm, Mail/SPF/Util.pm,
Mail/SpamAssassin/Locales.pm, Mail/SpamAssassin/Plugin/Bayes.pm,
Mail/SpamAssassin/Plugin/BodyEval.pm, Mail/SpamAssassin/Plugin/Check.pm,
Mail/SpamAssassin/Plugin/DNSEval.pm, Mail/SpamAssassin/Plugin/HTMLEval.pm,
Mail/SpamAssassin/Plugin/HTTPSMismatch.pm,
Mail/SpamAssassin/Plugin/HeaderEval.pm,
Mail/SpamAssassin/Plugin/ImageInfo.pm, Mail/SpamAssassin/Plugin/MIMEEval.pm,
Mail/SpamAssassin/Plugin/RelayEva...
Dec 14 08:16:20 amavis[80841]: (80841-08) ...l.pm,
Mail/SpamAssassin/Plugin/URIDetail.pm, Mail/SpamAssassin/Plugin/URIEval.pm,
Mail/SpamAssassin/Plugin/VBounce.pm, Mail/SpamAssassin/Plugin/WLBLEval.pm,
NetAddr/IP.pm, NetAddr/IP/Lite.pm, NetAddr/IP/Util.pm,
NetAddr/IP/Util_IS.pm, String/Approx.pm, unicore/lib/gc_sc/Word.pl,
version.pm, version/vxs.pm
and more other small logs for amavis.
Thanks, sorry for bad english, i'm learning :D
--
Kivanio Pereira Barbosa
Cel 8121-4248
www.eiqconsultoria.com.br
