> -----Original Message----- > From: Fisher, Jason [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 3:20 PM > To: debian-user@lists.debian.org > Subject: Logcheck amavisd-new and do_executable/do_unzip > > Hi all. I run a server that receives email using exim4 which > in turn hands email off to amavisd-new for virus-scanning and > spam-checking. I run logcheck which sends email highlighting > specific entries from my various logs. Logcheck has a series > of files named after each program which tell the logcheck > program which messages to ignore. My problem is that I can't > get logcheck to ignore amavisd-new's error messages about > do_executable/do_unzip failing. It seems I don't understand > the syntax correctly. Here is what I have tried in order to > get the messages at the bottom excluded: > > amavis\[[0-9]+\]: +(\([-0-9]+\) +)?do_executable/do_unzip > > And > > amavis\[[0-9]+\]: +(\([-0-9]+\) +)?do_executable\/do_unzip > > Has anyone out there figured out what line to put in > logcheck's amavisd-new file to get the messages below > excluded from logcheck's report? > > Thanks > > Jason > > > Security Events > =-=-=-=-=-=-=-= > Nov 29 14:02:04 linttrap amavis[18737]: (18737-03) > do_executable/do_unzip failed, ignoring: format error: bad signature: > 0x00905a4d at offset 0 in file > /var/lib/amavis/tmp/amavis-20051129T140130-18737/parts/part-00003 > >
I may have solved this myself. After closer inspection of the readme files supplied with the logcheck package, I noticed where it said that keywords will over-ride ignore filters. Further reading explained that to over-ride keywords, you can create a file in /etc/logcheck/violations.ignore.d/logcheck-(packagename). I created a logcheck-amavisd-new file and added the line: amavis\[[0-9]+\]: +(\([-0-9]+\) +)?do_executable\/do_unzip from the amavisd-new file in/etc/logcheck/ignore.d.server/amavisd-new. This seems to be working. Perhaps this will be of help to someone else. Jason
