On Mon, Aug 09, 2004 at 03:03:43PM -0400, Stephen Gran wrote:
> This one time, at band camp, Juha Pahkala said:
> > Hello,
> >
> > I've just installed logcheck on my debian-testing system. I'm having some
> > odd problems with the *ignore.server/cron filters. I'm trying to filter
> > out the entries that cron makes in syslog. These include in my case the
> > following lines
> >
> > Aug 9 16:35:01 server /USR/SBIN/CRON[1041]: (root) CMD
> > (/root/bin/util/check_irexec)
> > Aug 9 16:35:01 server /USR/SBIN/CRON[1042]: (root) CMD
> > (/root/bin/util/check_mythbackend)
> > Aug 9 16:40:01 server /USR/SBIN/CRON[1103]: (root) CMD
> > (/root/bin/util/check_irexec)
> > Aug 9 16:40:01 server /USR/SBIN/CRON[1104]: (root) CMD
> > (/root/bin/util/check_mythbackend)
> >
> > ie. every five minutes a check that the relevant processes are alive. and
> > the line in the default installation:
> >
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]:
> > \([[:alnum:]-]+\) CMD \(.*\)$
> >
> > works for the check_mythbackend script, but for some reason it doesn't
> > filter out the check_irexec script entries although they are virtually the
> > same. it doesn't look like its a problem with the regex, so what could it
> > be?
>
> Just a guess - it's being picked up because of the match on 'exec' -
> IIRC logcheck reports that in Security Violations. Try changing the
> name of the script, or adding that regex to a file under
> violations.ignore.d/
This is likely the issue. The line that reads "rexec" would effectively mark
this as a violation.
The solution is to add the regex to a file in violations.ignore.d/
Also note: this default override behavior may be changed [0] in post-sarge
releases.
[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=254542
Cheers,
--
[ Todd J. Troxell ,''`.
Student, Debian GNU/Linux Developer, SysAdmin, Geek : :' :
http://debian.org || http://rapidpacket.com/~xtat `. `'
`- ]
Attachment:
signature.asc
Description: Digital signature