Configure your own logcheck ignore rules
Logcheck configuration
Logcheck config is in /etc/logcheck/logcheck.conf, depending on setting of
REPORTLEVEL="server"
different rules from the following directories are used:
/etc/logcheck# cracking.d cracking.ignore.d ignore.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d
Define your ignore rules
When using server report level, put your local-rules file in /etc/logcheck/ignore.d.server and create a symbolic link to it from /etc/logcheck/violations.ignore.d. This ensures that your ignore rules are applied even if a log entry contains a keyword that would otherwise indicate a violation, e.g. reject, error or similar. When using this approch you need to ensure that you are as specific as possible when compiling your ignore rules.
Sample content of /etc/logcheck/ignore.d.server/local-rules
# amavis
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([[:alnum:]-]+\) Blocked SPAM
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([[:alnum:]-]+\) [E]*SMTP: NOTICE: Connection broken during data transfer
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ amavis\[[0-9]+\]: \([[:alnum:]-]+\) mail_via_smtp: DATA skipped, no valid recips
Test your ignore rules
You can use
egrep -f local-rules /var/log/mail.log
which will list all log entries that match patterns from your my.ignores file. They will be ignored by logcheck, i.e. they will not be mailed to you.
Choose a file name for your rules that starts with 'local-' so that they will not get accidently overwritten by a package. Do not use filenames that end in 'disbabled' or similar and do not use filnames that contain periods (.). They get ignored by when run-parts examines the directory.
There are no comments.