Date: Fri, 8 Nov 2019 11:23:34 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: questions@freebsd.org Subject: logcheck on FreeBSD-12 Message-ID: <14e202ded3bf1da9d1fddbc163f74e50.squirrel@webmail.harte-lyne.ca>
next in thread | raw e-mail | index | archive | help
I am attempting to get the following message unreported in locgcheck:
Nov 8 07:01:40 <auth.info> vhost04 sshd[63602]: Bad protocol version
identification 'GET /requested.html HTTP/1.1' from 157.230.216.203
port 37044
I have this rule in
/usr/local/etc/logcheck/violations.ignore.d/local-sshd:
^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad protocol
version identification.*
I have confirmed that this rule matches the log entry given above:
Nov 8 11:07:46 <auth.info> vhost04 sshd[99149]: Bad protocol version
identification 'GET / HTTP/1.1' from 47.99.215.199 port 42304
================================================================================
parsed file: /var/log/auth.log
used rule: '^\w{3} [ :[:digit:]]{11} <auth.info> .*sshd\[.*\]: Bad
protocol version identification.*'
I have confirmed that the local-sshd file is readable by logcheck:
ll /usr/local/etc/logcheck/violations.ignore.d/local-sshd
-rw-r--r-- 1 root logcheck 866 Nov 6 11:17
/usr/local/etc/logcheck/violations.ignore.d/local-sshd
Why are these things still being reported?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14e202ded3bf1da9d1fddbc163f74e50.squirrel>