Re: logcheck.ignore entries
Jeff Coppock <jcoppock1@comcast.net> wrote:
> On 14 Apr 2004 20:35:19 GMT Paul Hink <email@p-hink.de> wrote:
>
>> Russell Coker <russell@coker.com.au> wrote:
>>
>> > Try this one:
>> > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
>> > (root)|(mail)
>> [...]
>> "session (opened|closed) for user" matches "session opened for user"
>> and "session closed for user" which is what is needed here. "session
>> (opened)|(closed) for user" matches "session opened" and "closed for
>> user" which does not make much sense in this context.
>
> Using either variation appears to be working, but that's most likely
> due to the simplicity of the message.
Well,
CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user (root)|(mail)
matches every line matching one of the following expressions:
CRON\[.*\]:( )?\(pam_unix\) session (opened)
(closed) for user (root)
(mail)
So for example logcheck won't report any line containing the string
"mail" any more which probably is not what you want.
Paul
Reply to: