Re: logcheck.ignore entries
On Wed, 14 Apr 2004 20:06:02 +0100
Marco Franzen <Marco.Franzen@bigfoot.com> wrote:
> > Date: Wed, 14 Apr 2004 11:27:55 -0700
> > From: Jeff Coppock <jcoppock1@comcast.net>
>
> > On Thu, 15 Apr 2004 03:49:35 +1000
> > Russell Coker <russell@coker.com.au> wrote:
> >
> > > On Thu, 15 Apr 2004 02:01, Jeff Coppock <jcoppock1@comcast.net>
> > > wrote:
> > > > I'm having trouble with getting entries here to work. I have
> > > > the following /var/log/auth.log messages that I want to filter
> > > > out of logcheck (version 1.2.16, sarge):
> > > >
> > > > CRON[15302]: (pam_unix) session opened for user root by (uid=0)
> > > > CRON[15302]: (pam_unix) session closed for user root
> > > > CRON[15613]:(pam_unix) session opened for user mail by (uid=0)
> > > > CRON[15613]:(pam_unix) session closed for user mail
> > > >
> > > > So, I have the following entry in /etc/logcheck/logcheck.ignore:
> > >
> > > Try this one:
> > > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user
> > > (root)|(mail)
>
> Careful about the parentheses. See below.
>
> > Trying it now. I'm not sure about the use of the logcheck.ignore
> > file since when I run logcheck -d (debug mode), I don't see that
> > file being accessed. I'll try using the cron file in the
> > ignore.d.server directory.
> >
> > > You hadn't accounted for the optional space after the ':' (or was
> > > that a typo?), the "\[.*\]" part is better than just a ".*"
> > > (imagine if you could fool cron about the user-name to log), also
> > > a ".*" on the end is redundant.
>
> This:
>
> > > For having two different words match you need to put each
> > > word in braces, "(opened|closed)" is the same as
> > > "opene(d|c)losed".
>
> is probably not true. At least it isn't in woody, and I would regard
> it a bug if that suddenly changed. It would also be a highly unusual
> implementation of regular expressions.
>
> For example, I have in /etc/logcheck/ignore.d/local a working entry:
>
> anacron\[[0-9]+\]: Job `cron\.(daily|weekly|monthly)'
> (started|terminated)$
>
> that would break if this were suddenly true.
Well, I just confirmed that it is true. I placed the entry suggested by
Russel in /etc/logcheck/ignore.d.server/cron and it is working. I still
see other auth messages such as for ssh and su, but those CRON messages
are pleasantly absent from logchecks email updates.
There must have been a considerable change in Sarge/Testing, since that
is what I run.
> To turn it around, you could match your 4 lines for example like this:
>
> CRON\[[0-9]+\]: ?\(pam_unix\) session (opened|closed) for user
> (mail|root)( by \(uid=0\))?
>
> > Okay, use of the braces makes sense. That space thing wasn't a
> > typo, just my ignorance.
>
> I think it will just have been the space.
>
> You could just add a "?" after the ": " in your original expression
> (which would bind to the space only, in the absence of parentheses).
>
> Regards,
> Marco
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
--
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User
Reply to: