Re: logcheck.ignore entries
also keep in mind that you might need to edit logcheck.violations.ignore
if these entries are showing up in the "Possible Security Violations"
section of the email.
mike
On Wed, 2004-04-14 at 12:01, Jeff Coppock wrote:
> I'm having trouble with getting entries here to work. I have the
> following /var/log/auth.log messages that I want to filter out of
> logcheck (version 1.2.16, sarge):
>
> CRON[15302]: (pam_unix) session opened for user root by (uid=0)
> CRON[15302]: (pam_unix) session closed for user root
> CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> CRON[15613]:(pam_unix) session closed for user mail
>
> So, I have the following entry in /etc/logcheck/logcheck.ignore:
>
> CRON.*: \(pam_unix\) session (opened|closed) for user (root|mail) .*
>
> However, logcheck still reports these messages on every run. I'm barely
> a novice at regex and came up with this entry by googling around.
>
> Could there be something I need to add to the logcheck.conf file to make
> this work?
>
> Is my entry botched?
>
> The actual log messages also include the date/time/hostname. Do I need
> to account for that in the entry?
>
> thanks,
> jc
>
> --
> Jeff Coppock Systems Engineer
> Diggin' Debian Admin and User
>
Reply to: