Re: logcheck.ignore entries
On Wed, 14 Apr 2004 15:49:00 -0400
Brian Clark <brianj@unwell.org> wrote:
> Hi Jeff,
>
> On Wed, Apr 14, 2004 at 09:01:54AM -0700, Jeff Coppock wrote:
>
> > CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> > CRON[15613]:(pam_unix) session closed for user mail
>
> Were those listed as Security problems or Unusual Events by logcheck?
Neither. They are listed under "System Events". I don't appear to have
that heading.
See my other email, Russel's suggested entry is working for me.
> > So, I have the following entry in /etc/logcheck/logcheck.ignore:
>
> I'm running sarge, and I'm using:
>
> /etc/logcheck# ls -1
> cracking.d
> ignore.d.paranoid
> ignore.d.server
> ignore.d.workstation
> logcheck.conf
> logcheck.logfiles
> violations.d
> violations.ignore.d
>
> /etc/logcheck# grep REPORTLEVEL logcheck.conf
> REPORTLEVEL="server"
That's what I have as well. I guess the "logcheck.ignore" file usages
is no longer used in Sarge/Testing.
> So for Unsual Events notifications, I stick rules in ignore.d.server.
> For Security Violations, I stick rules in violations.ignore.d.
>
> > CRON.*: \(pam_unix\) session (opened|closed) for user (root|mail) .*
>
> I placed that in a file called local-cron in the ignore.d.server
> diectory, with the following rule:
>
> ^\w{3}[ 0-9:]+ hostname CRON\[[0-9]+\]: \(pam_unix\) session opened
> for user (root|mail)$
I see the use of the first part of this entry on other entries, so I
duplicated that. I'm sure it'll continue to work. I'm leaving the
(opened):(closed) part as well.
> I replaced "hostname" above with my hostname, but you could use
> something like [._[:alnum:]-]+ probably.
>
> --
> Brian Clark
>
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
Reply to: