Logcheck ignore regexp?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi - I'm running logcheck 1.2.39 under Debian Sarge. I'm also running a
utility called "breakinguard" which stops bruteforce attacks. Both work
fine, but what I can't get logcheck to to is ignore lines in the logs
as follows:

Security Alerts
Jun 21 06:13:59 edith breakinguard[24112]: already blocked [continued
Jun 21 06:14:07 edith breakinguard[24154]: already blocked [continued
Jun 21 06:14:15 edith breakinguard[24196]: already blocked [continued

Some days, I get literally hundreds of these lines. Does anyone know
how I can logcheck to ignore them?

It would also be nice to know whether logcheck's incredible complexity
when it comes to this sort of thing is something that people think is a
good thing or not. I have to say it must rank right up there with
sendmail.cf and mod_rewrite as one of the hardest things I've ever head
to deal with in close to 18 years of *NIX admin. It deserves some kind
of "obscurity prize."

Re: Logcheck ignore regexp?

Quoted text here. Click to load it

Add appropriate regexp to
/etc/logcheck.d/ignore.d.$/breakinguard.adm file
(".adm" for distinguishing your rules and rules from logcheck package).

Quoted text here. Click to load it

Complexity? The only complexity I see is ERE syntax, which has nothing
to do with logcheck itself.

Quoted text here. Click to load it

Why? Usage of logcheck is pretty simple (usage of mod_rewrite is
simple too, at least since two years). Maybe it's time to learn shell
scripting and look into logcheck's internals?

Feel free to correct my English
Stanislaw Klekot

Re: Logcheck ignore regexp?

Stachu 'Dozzie' K. wrote:
Quoted text here. Click to load it

Thanks, but that's what I've done, and that is why I'm posting here.
The rule has no effect on the lines I quoted above. However, it *does*
work for other lines (also produced by breakinguard) that I want to

So, I assume it may be something to do with the word "attack" in the
line that is overriding the ignore rule. Yet despite reading the man
files, adding rules to violations.ignore.d, and other things, nothing
works and logcheck still catches these lines.


Quoted text here. Click to load it

I'll ignore that flaimbait and say instead that I know more about shell
scripting than you might suppose.

Re: Logcheck ignore regexp?

Quoted text here. Click to load it

The problem then lies with the regexp that you're using. If you posted it,
someone will surely see the correction that needs to be made, but we're not

Re: Logcheck ignore regexp?

GDunn wrote:
Quoted text here. Click to load it

Thanks for your help - I've tried the following:

^\w [ :0-9] [._[:alnum:]-]+ breakinguard\[[0-9]+\]: already
blocked \[continued attack\?\?\] [:[:alnum:].]+ \([:[:alnum:].]+\)$

and just this:

already blocked \[continued attack\?\?\]

and finally this:

already blocked [continued attack??]

Re: Logcheck ignore regexp?

On 22 Jun 2006 14:16:21 -0700, gilgongo@gmail.com
Quoted text here. Click to load it
Perhaps you need to put the rule in violations.ignore.d or even

On November 13, Felix Unger was asked to remove himself from his place
of residence.

Site Timeline