logcheck.ignore entries

To: Debian Security <debian-security@lists.debian.org>
Subject: logcheck.ignore entries
From: Jeff Coppock <jcoppock1@comcast.net>
Date: Wed, 14 Apr 2004 09:01:54 -0700
Message-id: <[🔎] 20040414090154.0eccb1ba.jcoppock1@comcast.net>

I'm having trouble with getting entries here to work.  I have the
following /var/log/auth.log messages that I want to filter out of
logcheck (version 1.2.16, sarge):

CRON[15302]: (pam_unix) session opened for user root by (uid=0)
CRON[15302]: (pam_unix) session closed for user root 
CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
CRON[15613]:(pam_unix) session closed for user mail

So, I have the following entry in /etc/logcheck/logcheck.ignore:

CRON.*: \(pam_unix\) session (opened|closed) for user (root|mail) .*

However, logcheck still reports these messages on every run.  I'm barely
a novice at regex and came up with this entry by googling around.

Could there be something I need to add to the logcheck.conf file to make
this work?  

Is my entry botched?

The actual log messages also include the date/time/hostname.  Do I need
to account for that in the entry?

thanks,
jc

-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to:

Follow-Ups:
- Re: logcheck.ignore entries
  - From: Pierre N <pierren@mac.com>
- Re: logcheck.ignore entries
  - From: Russell Coker <russell@coker.com.au>
- Re: logcheck.ignore entries
  - From: Mike O'Connor <stew@vireo.org>

Prev by Date: Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
Next by Date: Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
Previous by thread: Re: [SECURITY] [DSA 479-1] New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
Next by thread: Re: logcheck.ignore entries
Index(es):
- Date
- Thread