Re: logcheck.ignore entries

[Jeff Coppock <jcoppock1@comcast.net>]

On 14 Apr 2004 22:44:40 GMT
Paul Hink <email@p-hink.de> wrote:

> Jeff Coppock <jcoppock1@comcast.net> wrote:
> 
> > On 14 Apr 2004 20:35:19 GMT Paul Hink <email@p-hink.de> wrote:
> > 
> >> Russell Coker <russell@coker.com.au> wrote:
> >> 
> >> > Try this one:
> >> > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> >> > (root)|(mail)
> 
> >> [...]
> 
> >> "session (opened|closed) for user" matches "session opened for
> >user"> and "session closed for user" which is what is needed here.
> >"session> (opened)|(closed) for user" matches "session opened" and
> >"closed for> user" which does not make much sense in this context.
> > 
> > Using either variation appears to be working, but that's most likely
> > due to the simplicity of the message.
> 
> Well,
> 
> CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> (root)|(mail)
> 
> matches every line matching one of the following expressions:
> 
> CRON\[.*\]:( )?\(pam_unix\) session (opened)
> (closed) for user (root)
> (mail)
> 
> So for example logcheck won't report any line containing the string
> "mail" any more which probably is not what you want.

I don't really understand why that entry will match to those
expressions, but you're right, those matches are not what I want. 

My final entry is in /etc/logcheck/ignore.d.server/cron as this:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_unix\) session
(opened|closed) for user (root|mail)

And, this entry is not matching on the ssh and su messages which I do
want to see, but is filtering out the CRON messages I don't want to see.

Excellent help!  Thank you very much Paul and Russell.

jc

-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User