Re: logcheck.ignore entries
On 14 Apr 2004 22:44:40 GMT
Paul Hink <email@p-hink.de> wrote:
> Jeff Coppock <jcoppock1@comcast.net> wrote:
>
> > On 14 Apr 2004 20:35:19 GMT Paul Hink <email@p-hink.de> wrote:
> >
> >> Russell Coker <russell@coker.com.au> wrote:
> >>
> >> > Try this one:
> >> > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> >> > (root)|(mail)
>
> >> [...]
>
> >> "session (opened|closed) for user" matches "session opened for
> >user"> and "session closed for user" which is what is needed here.
> >"session> (opened)|(closed) for user" matches "session opened" and
> >"closed for> user" which does not make much sense in this context.
> >
> > Using either variation appears to be working, but that's most likely
> > due to the simplicity of the message.
>
> Well,
>
> CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> (root)|(mail)
>
> matches every line matching one of the following expressions:
>
> CRON\[.*\]:( )?\(pam_unix\) session (opened)
> (closed) for user (root)
> (mail)
>
> So for example logcheck won't report any line containing the string
> "mail" any more which probably is not what you want.
I don't really understand why that entry will match to those
expressions, but you're right, those matches are not what I want.
My final entry is in /etc/logcheck/ignore.d.server/cron as this:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam_unix\) session
(opened|closed) for user (root|mail)
And, this entry is not matching on the ssh and su messages which I do
want to see, but is filtering out the CRON messages I don't want to see.
Excellent help! Thank you very much Paul and Russell.
jc
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
Reply to: