|
|
|
|
|
|
| Author |
Message |
gilgongo@gmail.com
*nix forums beginner
Joined: 21 Jun 2006
Posts: 3
|
 Posted: Wed Jun 21, 2006 7:04 pm Post subject:
Logcheck ignore regexp?
|
|
|
Hi - I'm running logcheck 1.2.39 under Debian Sarge. I'm also running a
utility called "breakinguard" which stops bruteforce attacks. Both work
fine, but what I can't get logcheck to to is ignore lines in the logs
as follows:
Security Alerts
=-=-=-=-=-=-=-=
Jun 21 06:13:59 edith breakinguard[24112]: already blocked [continued
attack??] 216.167.222.115
Jun 21 06:14:07 edith breakinguard[24154]: already blocked [continued
attack??] 216.167.222.115
Jun 21 06:14:15 edith breakinguard[24196]: already blocked [continued
attack??] 216.167.222.115
Some days, I get literally hundreds of these lines. Does anyone know
how I can logcheck to ignore them?
It would also be nice to know whether logcheck's incredible complexity
when it comes to this sort of thing is something that people think is a
good thing or not. I have to say it must rank right up there with
sendmail.cf and mod_rewrite as one of the hardest things I've ever head
to deal with in close to 18 years of *NIX admin. It deserves some kind
of "obscurity prize." |
|
| Back to top |
|
 |
Stachu 'Dozzie' K.
*nix forums Guru Wannabe
Joined: 30 Mar 2005
Posts: 250
|
| Posted: Wed Jun 21, 2006 7:17 pm Post subject:
Re: Logcheck ignore regexp?
|
|
|
On 21.06.2006, gilgongo@gmail.com <gilgongo@gmail.com> wrote:
| Quote: | Hi - I'm running logcheck 1.2.39 under Debian Sarge. I'm also running a
utility called "breakinguard" which stops bruteforce attacks. Both work
fine, but what I can't get logcheck to to is ignore lines in the logs
as follows:
Security Alerts
=-=-=-=-=-=-=-=
Jun 21 06:13:59 edith breakinguard[24112]: already blocked [continued
attack??] 216.167.222.115
Jun 21 06:14:07 edith breakinguard[24154]: already blocked [continued
attack??] 216.167.222.115
Jun 21 06:14:15 edith breakinguard[24196]: already blocked [continued
attack??] 216.167.222.115
Some days, I get literally hundreds of these lines. Does anyone know
how I can logcheck to ignore them?
|
Add appropriate regexp to
/etc/logcheck.d/ignore.d.${your_report_level}/breakinguard.adm file
(".adm" for distinguishing your rules and rules from logcheck package).
| Quote: | It would also be nice to know whether logcheck's incredible complexity
when it comes to this sort of thing is something that people think is a
good thing or not.
|
Complexity? The only complexity I see is ERE syntax, which has nothing
to do with logcheck itself.
| Quote: | I have to say it must rank right up there with
sendmail.cf and mod_rewrite as one of the hardest things I've ever head
to deal with in close to 18 years of *NIX admin. It deserves some kind
of "obscurity prize."
|
Why? Usage of logcheck is pretty simple (usage of mod_rewrite is
simple too, at least since two years). Maybe it's time to learn shell
scripting and look into logcheck's internals?
--
Feel free to correct my English
Stanislaw Klekot |
|
| Back to top |
|
|
gilgongo@gmail.com
*nix forums beginner
Joined: 21 Jun 2006
Posts: 3
|
| Posted: Wed Jun 21, 2006 9:41 pm Post subject:
Re: Logcheck ignore regexp?
|
|
|
Stachu 'Dozzie' K. wrote:
| Quote: | On 21.06.2006, gilgongo@gmail.com <gilgongo@gmail.com> wrote:
Hi - I'm running logcheck 1.2.39 under Debian Sarge. I'm also running a
utility called "breakinguard" which stops bruteforce attacks. Both work
fine, but what I can't get logcheck to to is ignore lines in the logs
as follows:
Security Alerts
=-=-=-=-=-=-=-=
Jun 21 06:13:59 edith breakinguard[24112]: already blocked [continued
attack??] 216.167.222.115
Jun 21 06:14:07 edith breakinguard[24154]: already blocked [continued
attack??] 216.167.222.115
Jun 21 06:14:15 edith breakinguard[24196]: already blocked [continued
attack??] 216.167.222.115
Some days, I get literally hundreds of these lines. Does anyone know
how I can logcheck to ignore them?
Add appropriate regexp to
/etc/logcheck.d/ignore.d.${your_report_level}/breakinguard.adm file
(".adm" for distinguishing your rules and rules from logcheck package).
|
Thanks, but that's what I've done, and that is why I'm posting here.
The rule has no effect on the lines I quoted above. However, it *does*
work for other lines (also produced by breakinguard) that I want to
ignore.
So, I assume it may be something to do with the word "attack" in the
line that is overriding the ignore rule. Yet despite reading the man
files, adding rules to violations.ignore.d, and other things, nothing
works and logcheck still catches these lines.
<snip>
| Quote: | Maybe it's time to learn shell
scripting and look into logcheck's internals?
|
I'll ignore that flaimbait and say instead that I know more about shell
scripting than you might suppose. |
|
| Back to top |
|
|
GDunn
*nix forums beginner
Joined: 21 Jun 2006
Posts: 6
|
| Posted: Wed Jun 21, 2006 10:42 pm Post subject:
Re: Logcheck ignore regexp?
|
|
|
In news:1150926072.996758.103710@y41g2000cwy.googlegroups.com,
gilgongo@gmail.com <gilgongo@gmail.com> wrote:
| Quote: | Jun 21 06:13:59 edith breakinguard[24112]: already blocked [continued
attack??] 216.167.222.115
....
Add appropriate regexp to
/etc/logcheck.d/ignore.d.${your_report_level}/breakinguard.adm file
(".adm" for distinguishing your rules and rules from logcheck package).
Thanks, but that's what I've done, and that is why I'm posting here.
The rule has no effect on the lines I quoted above. However, it *does*
work for other lines (also produced by breakinguard) that I want to
ignore.
So, I assume it may be something to do with the word "attack" in the
line that is overriding the ignore rule.
|
The problem then lies with the regexp that you're using. If you posted it,
someone will surely see the correction that needs to be made, but we're not
mindreaders. |
|
| Back to top |
|
|
gilgongo@gmail.com
*nix forums beginner
Joined: 21 Jun 2006
Posts: 3
|
| Posted: Thu Jun 22, 2006 9:16 pm Post subject:
Re: Logcheck ignore regexp?
|
|
|
GDunn wrote:
| Quote: | Add appropriate regexp to
/etc/logcheck.d/ignore.d.${your_report_level}/breakinguard.adm file
(".adm" for distinguishing your rules and rules from logcheck package).
Thanks, but that's what I've done, and that is why I'm posting here.
The rule has no effect on the lines I quoted above. However, it *does*
work for other lines (also produced by breakinguard) that I want to
ignore.
So, I assume it may be something to do with the word "attack" in the
line that is overriding the ignore rule.
The problem then lies with the regexp that you're using. If you posted it,
someone will surely see the correction that needs to be made, but we're not
mindreaders.
|
Thanks for your help - I've tried the following:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ breakinguard\[[0-9]+\]: already
blocked \[continued attack\?\?\] [:[:alnum:].]+ \([:[:alnum:].]+\)$
and just this:
already blocked \[continued attack\?\?\]
and finally this:
already blocked [continued attack??] |
|
| Back to top |
|
|
Bill Marcum
*nix forums Guru
Joined: 28 Mar 2005
Posts: 1264
|
| Posted: Sun Jun 25, 2006 12:11 am Post subject:
Re: Logcheck ignore regexp?
|
|
|
On 22 Jun 2006 14:16:21 -0700, gilgongo@gmail.com
<gilgongo@gmail.com> wrote:
| Quote: | GDunn wrote:
Add appropriate regexp to
/etc/logcheck.d/ignore.d.${your_report_level}/breakinguard.adm file
(".adm" for distinguishing your rules and rules from logcheck package).
Thanks, but that's what I've done, and that is why I'm posting here.
The rule has no effect on the lines I quoted above. However, it *does*
work for other lines (also produced by breakinguard) that I want to
ignore.
So, I assume it may be something to do with the word "attack" in the
line that is overriding the ignore rule.
Perhaps you need to put the rule in violations.ignore.d or even |
cracking.ignore.d.
--
GREAT MOMENTS IN AMERICAN HISTORY (#17):
On November 13, Felix Unger was asked to remove himself from his place
of residence. |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Tue Dec 02, 2008 2:05 pm | All times are GMT
|
|
Php Scripts | Credit Cards | Nora Roberts | Electricity Suppliers | Internet Advertising
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
security
