Re: logcheck.ignore entries

To: debian-security@lists.debian.org
Subject: Re: logcheck.ignore entries
From: Jeff Coppock <jcoppock1@comcast.net>
Date: Wed, 14 Apr 2004 14:19:58 -0700
Message-id: <[🔎] 20040414141958.7d21a78a.jcoppock1@comcast.net>
In-reply-to: <[🔎] c5k7a7$2iriu$1@ID-20530.news.uni-berlin.de>
References: <[🔎] 20040414090154.0eccb1ba.jcoppock1@comcast.net> <[🔎] 200404150349.35353.russell@coker.com.au> <[🔎] c5k7a7$2iriu$1@ID-20530.news.uni-berlin.de>

On 14 Apr 2004 20:35:19 GMT
Paul Hink <email@p-hink.de> wrote:

> Russell Coker <russell@coker.com.au> wrote:
> 
> > Try this one:
> > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> > (root)|(mail)
> 
> > [...]
> 
> > For having two different words match you need to put each word in
> > braces, "(opened|closed)" is the same as "opene(d|c)losed".
> 
> No!
>  
> "session (opened|closed) for user" matches "session opened for user"
> and "session closed for user" which is what is needed here. "session
> (opened)|(closed) for user" matches "session opened" and "closed for
> user" which does not make much sense in this context.

Using either variation appears to be working, but that's most likely
due to the simplicity of the message.

Based on your description, it makes more sense to me to use
"(opened|closed)".

jc

-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to:

Follow-Ups:
- Re: logcheck.ignore entries
  - From: Paul Hink <email@p-hink.de>

References:
- logcheck.ignore entries
  - From: Jeff Coppock <jcoppock1@comcast.net>
- Re: logcheck.ignore entries
  - From: Russell Coker <russell@coker.com.au>
- Re: logcheck.ignore entries
  - From: Paul Hink <email@p-hink.de>

Prev by Date: Security holes in 2.4.25?
Next by Date: Re: Server slowdown...
Previous by thread: Re: logcheck.ignore entries
Next by thread: Re: logcheck.ignore entries
Index(es):
- Date
- Thread