Re: logcheck.ignore entries

[Russell Coker <russell@coker.com.au>]

On Thu, 15 Apr 2004 02:01, Jeff Coppock <jcoppock1@comcast.net> wrote:
> I'm having trouble with getting entries here to work.  I have the
> following /var/log/auth.log messages that I want to filter out of
> logcheck (version 1.2.16, sarge):
>
> CRON[15302]: (pam_unix) session opened for user root by (uid=0)
> CRON[15302]: (pam_unix) session closed for user root
> CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> CRON[15613]:(pam_unix) session closed for user mail
>
> So, I have the following entry in /etc/logcheck/logcheck.ignore:

Try this one:
CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user (root)|(mail)

You hadn't accounted for the optional space after the ':' (or was that a 
typo?), the "\[.*\]" part is better than just a ".*" (imagine if you could 
fool cron about the user-name to log), also a ".*" on the end is redundant.  
For having two different words match you need to put each word in braces, 
"(opened|closed)" is the same as "opene(d|c)losed".

For the benefit of other readers, '.' in a regular expression matches any 
character and '*' means zero or more instances of the previous atom.  See 
regex(7) for more details.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page