Re: [PLUG] syslog-ng config question, to ignore entries in mail.log

sean finney on 15 Jan 2007 16:13:21 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] syslog-ng config question, to ignore entries in mail.log

From: sean finney <seanius@seanius.net>

To: turgon@mike-leone.com, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] syslog-ng config question, to ignore entries in mail.log

Date: Mon, 15 Jan 2007 17:13:08 +0100

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

On Mon, 2007-01-15 at 10:50 -0500, Mike Leone wrote: > Never got an answer to this, so I thought I'd try again. Anyone know of a > way I can do this? okay, okay, i'll bite :) > Mike Leone (turgon@mike-leone.com) had this to say on 01/10/07 at 12:53: > > At work i use a Postfix mail server, running on Debian testing, to screen my > > Exchange 2003 server. Postfix, in it's zeal to log everything, shows me all > > log entries for when it rejects mail for mis-addressed users. And I get > > 10-12K+ messages a day, from spammers/viruses/bots, all addressed to random > > addresses at my domain. Needless to say, this makes my mail logs huge and > > unweildy. I'd like to syslog-ng to just ignore them and not log these > > multitudes of entries. I've tried reading through the documentation for > > syslog-ng, and I'm still lost. personally, i take the "log all and selectively notify" approach, so my preferred modus operandi would be to let syslog-ng log it, but modify the logcheck/whatever rules to ignore the messages. it'd really suck in the hypothetical situation that your box was rooted and a potentially informative message was silently discarded (not that i've ever been rooted via postfix but as a general rule). however, if do you want to strip it from syslog, you should create a new filter using the program(foo)/match(foo) directives in conjunction with the boolean not directive with your current filter. if your current filter directive is "myfilter" then you could do something like: filter postfixjunk { program(postfix/smtpd) and match(foo); } and then replace the filter(myfilter) in your log stanza to filter( filter(myfilter) and not filter(postfixjunk) ); keep in mind that this means executing a regex match on every syslog entry that hits this filter, which could be potentially expensive if you do a lot of logging. in that case, you might want prepend a few more cheap conditions (facility/priority) before the expensive ones. sean
Attachment: signature.asc
Description: This is a digitally signed message part

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] syslog-ng config question, to ignore entries in mail.log
From: Mike Leone <turgon@mike-leone.com>

Re: [PLUG] syslog-ng config question, to ignore entries in mail.log
From: Mike Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] syslog-ng config question, to ignore entries in mail.log

Next by Date: Re: [PLUG] An article on PHP security

Previous by thread: Re: [PLUG] syslog-ng config question, to ignore entries in mail.log

Next by thread: [PLUG] Success with Debian on Dell Latitude LM! (40 Meg RAM)

Index(es):

Date

Thread