Configure your own logcheck ignore rules

Logcheck configuration

Logcheck config is in /etc/logcheck/logcheck.conf, depending on setting of

REPORTLEVEL="server"

different rules from the following directories are used:

/etc/logcheck#
cracking.d
cracking.ignore.d
ignore.d
ignore.d.paranoid
ignore.d.server
ignore.d.workstation
violations.d
violations.ignore.d

Define your ignore rules

When using server report level, put your local-rules file in /etc/logcheck/ignore.d.server and create a symbolic link to it from /etc/logcheck/violations.ignore.d. This ensures that your ignore rules are applied even if a log entry contains a keyword that would otherwise indicate a violation, e.g. reject, error or similar. When using this approch you need to ensure that you are as specific as possible when compiling your ignore rules.

Sample content of /etc/logcheck/ignore.d.server/local-rules

# amavis
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([[:alnum:]-]+\) Blocked SPAM
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([[:alnum:]-]+\) [E]*SMTP: NOTICE: Connection broken during data transfer
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([[:alnum:]-]+\) mail_via_smtp: DATA skipped, no valid recips

Test your ignore rules

You can use

egrep -f local-rules /var/log/mail.log

which will list all log entries that match patterns from your my.ignores file. They will be ignored by logcheck, i.e. they will not be mailed to you.

Choose a file name for your rules that starts with 'local-' so that they will not get accidently overwritten by a package. Do not use filenames that end in 'disbabled' or similar and do not use filnames that contain periods (.). They get ignored by when run-parts examines the directory.

Comments (0)