Mike Leone on 18 Jan 2007 16:17:53 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Need some help with a regex for a logcheck rule ..


John Von Essen (john@essenz.com) had this to say on 01/18/07 at 11:00: 
> Is this perl -type regex?

Beats me. :-) It's logcheck v 1.1.9.1, on Debian testing ...

> Looks like you need to add an * on the end, and 
> escape your forward slash. 

Hmmm ... the other examples in the "violations.ignore" lists don't escape
the forward slashes, but OK.

> The beginning looks a little overly complex, I would do:
> 
> /^.*cliff-clavin postfix\/smptd\[[0-9]+\]: NOQUEUE: reject: RCPT from.*$/
> 

Thanks; I'll give it a shot.

> 
> -John
> 
> On Thu, 18 Jan 2007, Mike Leone wrote:
> 
> >So I get lots and lots of messages in my mail log at work, like this:
> >
> >-----------------------------------------------------------------------
> >Jan 18 07:02:09 cliff-claven postfix/smtpd[15446]: NOQUEUE: reject: RCPT
> >from 215.red-62-57-11.user.auna.net[62.57.11.215]: 554 5.7.1
> ><vivrusse@contributionship.com>: Recipient address rejected: Access denied;
> >from=<aatamykni@radiant.net> to=<vivrusse@contributionship.com> proto=SMTP
> >helo=<radiant.net>
> >
> >Jan 18 07:02:12 cliff-claven postfix/smtpd[15425]: NOQUEUE: reject: RCPT
> >from unknown[124.29.216.170]: 554 5.7.1 <cuevasmac@contributionship.com>:
> >Recipient address rejected: Access denied; from=<nats@kali.it>
> >to=<cuevasmac@contributionship.com> proto=SMTP helo=<kali.it>
> >-----------------------------------------------------------------------
> >
> >These are all email attempts to non-existent users, probably sent from 
> >virus
> >infected machines or spammers. So many, in fact, that I can't find anything
> >else in the log easily. So I'd like to tell logcheck to ignore any of these
> >messages that have "Recipient address rejected: Access denied;" in them.
> >
> >But my regex knowledge is ... let's charitably call it almost non-existent.
> >:-) From samples, I've come up with something that I think will partially
> >work.
> >
> >^\w{3} [ :0-9]{11} cliff-clavin postfix/smptd\[[0-9]+\]: NOQUEUE: reject:
> >RCPT from.$
> >
> >This will ignore ALL "NOQUEUE: reject:" messages in my mail log, I think.
> >Yes?
> >
> >I guess I should just be ignoring the "Recipient address rejected: Access
> >denied;" ones. But I don't know how to phrase that.
> >
> >Can anybody lend a hand?
> >
> >Thanks
> >
> >___________________________________________________________________________
> >Philadelphia Linux Users Group         --        http://www.phillylinux.org
> >Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> >General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> >
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug