logcheck.ignore entries
I'm having trouble with getting entries here to work. I have the
following /var/log/auth.log messages that I want to filter out of
logcheck (version 1.2.16, sarge):
CRON[15302]: (pam_unix) session opened for user root by (uid=0)
CRON[15302]: (pam_unix) session closed for user root
CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
CRON[15613]:(pam_unix) session closed for user mail
So, I have the following entry in /etc/logcheck/logcheck.ignore:
CRON.*: \(pam_unix\) session (opened|closed) for user (root|mail) .*
However, logcheck still reports these messages on every run. I'm barely
a novice at regex and came up with this entry by googling around.
Could there be something I need to add to the logcheck.conf file to make
this work?
Is my entry botched?
The actual log messages also include the date/time/hostname. Do I need
to account for that in the entry?
thanks,
jc
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
Reply to: