среда, 13 марта 2013 г.

Fix LogCheck sSMTP ignore rules

Maybe I configured it wrong or maybe logcheck use wrong rules for SSMTP. Probably the second, according Debian Bug Tracker.
Every hour i get e-mails like this, so logcheck respond to himself:
Mar  8 19:02:03 MyDear-Hetzner sSMTP[29992]: Creating SSL connection to host
Mar  8 19:02:03 MyDear-Hetzner sSMTP[29992]: SSL connection using RSA_AES_128_CBC_SHA1
Mar  8 19:02:05 MyDear-Hetzner sSMTP[29992]: Sent mail for postrelay@yoursdearboy.tk (221 2.0.0 Closing connection.) uid=107 username=logcheck outbytes=2012
So the fix:

Bug #1: Ignore rule file for ssmtp /etc/logcheck/ignore.d.server/ssmtp have wrong group and chmod. Let's make it like other rule files in this directory:
chown root:logcheck /etc/logcheck/ignore.d.server/ssmtp
chmod 644 /etc/logcheck/ignore.d.server/ssmtp

Bug #2: Incomplete rule expression
As you can see the expression from this file don't catch forequoted part of log:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Sent mail for .* \([0-9]+ [0-9.]+ Bye\) uid=[0-9]+ username=[\._[:alnum:]-]+ outbytes=[0-9]+$
So we need to add this patterns to the rule file
# My custom pattern
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Creating SSL connection to host$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: SSL connection using [._[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sSMTP\[[0-9]+\]: Sent mail for .*$
# End of custom patter

Be careful and don't remove this file after update of logcheck.

Thanks to Jonathan Skanes, I use the same rules, but a little bit modified, because they didn't work for me.

Комментариев нет:

Отправить комментарий