[cobalt-security] LogCheck Help, Please

["FLHQ" <fultonlyons@xxxxxxxxxxxxxx>]

OK, I've RTFM, read the groups, surfed the net and tested everything I
can to make the following log entries go away:

Sep 23 07:48:38 MYSERVER portsentry[10539]: attackalert: Host:
pn137.szczecin.sdi.tpnet.pl/217.98.186.137 is already blocked Ignoring

I removed all keywords in the entry from logcheck.hacking (like
'attackalert')

I added ignore rules to the logcheck.ignore file like this:

portsentry.*is already blocked Ignoring

I added it to my violations.ignore too!

Basically what I want is to see the inital catch by portsentry but not
every subsequent hit after that.

Can someone more savvy than I give me an example that would take this
out?

Also, I have yet to find a reference on what the '.' in the logcheck
file rules means, or where it needs to go.  It seems to be a
concatenator?

would this work?

portsentry[*]: attackalert: * already blocked Ignoring

or do things need esacping:
portsentry\[*\]: attackalert: * already blocked Ignoring

or does the '.' have to go before each wildcard:
portsentry\[.*.\]: attackalert: .*already blocked Ignoring

See, none of these seems to help, its like portsentry logs are included
automagically.  Well, I need some black magic cuz I'm tired of 500 lines
when I only need 5

I'm glad to do the research and testing myself if someone'd point me to
a definitive document explaining, in detail, the syntax of the rules
files.

The first person to point my to psionic.com gets flamed and the next
person who tells me to read the documentation gets a flamethrower
because those docs are so weak.

Thanks in advance and sorry for the rant, I've been trying different
combos for hours, and that's after surfing most of the morning for the
answer.

-T