|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Need some help with a regex for a logcheck rule ..
|
John Von Essen (john@essenz.com) had this to say on 01/18/07 at 11:00:
> Is this perl -type regex? Looks like you need to add an * on the end, and
> escape your forward slash. The beginning looks a little overly complex, I
> would do:
>
> /^.*cliff-clavin postfix\/smptd\[[0-9]+\]: NOQUEUE: reject: RCPT from.*$/
>
Unfortunately, it seems a bit too extreme - it's ignoring ALL the NOQUEUE:
reject: messages (such as domain not found, indicating a problem on an
outgoing email). those I'd want to see. I only want to ignore the "Recipient
address rejected: Access denied;" NOQUEUE: reject: messages.
so I need to refine a bit.
How do I tack on the "Recipient addresses rejected" bit, to this regex?
>
> -John
>
> On Thu, 18 Jan 2007, Mike Leone wrote:
>
> >So I get lots and lots of messages in my mail log at work, like this:
> >
> >-----------------------------------------------------------------------
> >Jan 18 07:02:09 cliff-claven postfix/smtpd[15446]: NOQUEUE: reject: RCPT
> >from 215.red-62-57-11.user.auna.net[62.57.11.215]: 554 5.7.1
> ><vivrusse@contributionship.com>: Recipient address rejected: Access denied;
> >from=<aatamykni@radiant.net> to=<vivrusse@contributionship.com> proto=SMTP
> >helo=<radiant.net>
> >
> >Jan 18 07:02:12 cliff-claven postfix/smtpd[15425]: NOQUEUE: reject: RCPT
> >from unknown[124.29.216.170]: 554 5.7.1 <cuevasmac@contributionship.com>:
> >Recipient address rejected: Access denied; from=<nats@kali.it>
> >to=<cuevasmac@contributionship.com> proto=SMTP helo=<kali.it>
> >-----------------------------------------------------------------------
> >
> >These are all email attempts to non-existent users, probably sent from
> >virus
> >infected machines or spammers. So many, in fact, that I can't find anything
> >else in the log easily. So I'd like to tell logcheck to ignore any of these
> >messages that have "Recipient address rejected: Access denied;" in them.
> >
> >But my regex knowledge is ... let's charitably call it almost non-existent.
> >:-) From samples, I've come up with something that I think will partially
> >work.
> >
> >^\w{3} [ :0-9]{11} cliff-clavin postfix/smptd\[[0-9]+\]: NOQUEUE: reject:
> >RCPT from.$
> >
> >This will ignore ALL "NOQUEUE: reject:" messages in my mail log, I think.
> >Yes?
> >
> >I guess I should just be ignoring the "Recipient address rejected: Access
> >denied;" ones. But I don't know how to phrase that.
> >
> >Can anybody lend a hand?
> >
> >Thanks
> >
> >___________________________________________________________________________
> >Philadelphia Linux Users Group -- http://www.phillylinux.org
> >Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> >General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
> >
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|