Re: logcheck.ignore entries
On Thu, 15 Apr 2004 02:01, Jeff Coppock <jcoppock1@comcast.net> wrote:
> I'm having trouble with getting entries here to work. I have the
> following /var/log/auth.log messages that I want to filter out of
> logcheck (version 1.2.16, sarge):
>
> CRON[15302]: (pam_unix) session opened for user root by (uid=0)
> CRON[15302]: (pam_unix) session closed for user root
> CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> CRON[15613]:(pam_unix) session closed for user mail
>
> So, I have the following entry in /etc/logcheck/logcheck.ignore:
Try this one:
CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user (root)|(mail)
You hadn't accounted for the optional space after the ':' (or was that a
typo?), the "\[.*\]" part is better than just a ".*" (imagine if you could
fool cron about the user-name to log), also a ".*" on the end is redundant.
For having two different words match you need to put each word in braces,
"(opened|closed)" is the same as "opene(d|c)losed".
For the benefit of other readers, '.' in a regular expression matches any
character and '*' means zero or more instances of the previous atom. See
regex(7) for more details.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: