Re: logcheck.ignore entries
On Thu, 15 Apr 2004 03:49:35 +1000
Russell Coker <russell@coker.com.au> wrote:
> On Thu, 15 Apr 2004 02:01, Jeff Coppock <jcoppock1@comcast.net> wrote:
> > I'm having trouble with getting entries here to work. I have the
> > following /var/log/auth.log messages that I want to filter out of
> > logcheck (version 1.2.16, sarge):
> >
> > CRON[15302]: (pam_unix) session opened for user root by (uid=0)
> > CRON[15302]: (pam_unix) session closed for user root
> > CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> > CRON[15613]:(pam_unix) session closed for user mail
> >
> > So, I have the following entry in /etc/logcheck/logcheck.ignore:
>
> Try this one:
> CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> (root)|(mail)
Trying it now. I'm not sure about the use of the logcheck.ignore file
since when I run logcheck -d (debug mode), I don't see that file being
accessed. I'll try using the cron file in the ignore.d.server
directory.
> You hadn't accounted for the optional space after the ':' (or was that
> a typo?), the "\[.*\]" part is better than just a ".*" (imagine if you
> could fool cron about the user-name to log), also a ".*" on the end is
> redundant. For having two different words match you need to put each
> word in braces, "(opened|closed)" is the same as "opene(d|c)losed".
Okay, use of the braces makes sense. That space thing wasn't a typo,
just my ignorance.
> For the benefit of other readers, '.' in a regular expression matches
> any character and '*' means zero or more instances of the previous
> atom. See regex(7) for more details.
I read that, but it's still not clear to me. I need to let it marinate
a bit longer I think.
thanks,
jc
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
Reply to: