Re: logcheck.ignore entries

To: debian-security@lists.debian.org
Subject: Re: logcheck.ignore entries
From: Marco Franzen <Marco.Franzen@bigfoot.com>
Date: Wed, 14 Apr 2004 20:06:02 +0100
Message-id: <[🔎] E1BDphx-0000q3-00@pika.franzen.uklinux.net>
In-reply-to: <[🔎] 20040414112755.19456c46.jcoppock1@comcast.net> (message from Jeff Coppock on Wed, 14 Apr 2004 11:27:55 -0700)
References: <[🔎] 20040414090154.0eccb1ba.jcoppock1@comcast.net> <[🔎] 200404150349.35353.russell@coker.com.au> <[🔎] 20040414112755.19456c46.jcoppock1@comcast.net>

> Date: Wed, 14 Apr 2004 11:27:55 -0700
> From: Jeff Coppock <jcoppock1@comcast.net>

> On Thu, 15 Apr 2004 03:49:35 +1000
> Russell Coker <russell@coker.com.au> wrote:
> 
> > On Thu, 15 Apr 2004 02:01, Jeff Coppock <jcoppock1@comcast.net> wrote:
> > > I'm having trouble with getting entries here to work.  I have the
> > > following /var/log/auth.log messages that I want to filter out of
> > > logcheck (version 1.2.16, sarge):
> > >
> > > CRON[15302]: (pam_unix) session opened for user root by (uid=0)
> > > CRON[15302]: (pam_unix) session closed for user root
> > > CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> > > CRON[15613]:(pam_unix) session closed for user mail
> > >
> > > So, I have the following entry in /etc/logcheck/logcheck.ignore:
> > 
> > Try this one:
> > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> > (root)|(mail)

Careful about the parentheses.  See below.

> Trying it now.  I'm not sure about the use of the logcheck.ignore file
> since when I run logcheck -d (debug mode), I don't see that file being
> accessed.  I'll try using the cron file in the ignore.d.server
> directory.
> 
> > You hadn't accounted for the optional space after the ':' (or was that
> > a typo?), the "\[.*\]" part is better than just a ".*" (imagine if you
> > could fool cron about the user-name to log), also a ".*" on the end is
> > redundant.

This:

> > For having two different words match you need to put each
> > word in braces, "(opened|closed)" is the same as "opene(d|c)losed".

is probably not true.  At least it isn't in woody, and I would regard
it a bug if that suddenly changed.  It would also be a highly unusual
implementation of regular expressions.

For example, I have in /etc/logcheck/ignore.d/local a working entry:

  anacron\[[0-9]+\]: Job `cron\.(daily|weekly|monthly)' (started|terminated)$

that would break if this were suddenly true.

To turn it around, you could match your 4 lines for example like this:

  CRON\[[0-9]+\]: ?\(pam_unix\) session (opened|closed) for user (mail|root)( by \(uid=0\))?

> Okay, use of the braces makes sense.  That space thing wasn't a typo,
> just my ignorance.

I think it will just have been the space.

You could just add a "?" after the ": " in your original expression
(which would bind to the space only, in the absence of parentheses).

Regards,
Marco

Reply to:

Follow-Ups:
- Re: logcheck.ignore entries
  - From: Jeff Coppock <jcoppock1@comcast.net>

References:
- logcheck.ignore entries
  - From: Jeff Coppock <jcoppock1@comcast.net>
- Re: logcheck.ignore entries
  - From: Russell Coker <russell@coker.com.au>
- Re: logcheck.ignore entries
  - From: Jeff Coppock <jcoppock1@comcast.net>

Prev by Date: Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
Next by Date: Re: logcheck.ignore entries
Previous by thread: Re: logcheck.ignore entries
Next by thread: Re: logcheck.ignore entries
Index(es):
- Date
- Thread