problem with logcheck rules
Hi,
I am running logcheck 1.2.28 but am unable to modify the rules to prevent
certain information being mailed to me. I get loads of messages like the
following in the System Events section of the email:
Nov 24 01:08:01 phil cron(pam_unix)[4763]: session opened for user mail by (uid=0)
Nov 24 01:08:01 phil cron(pam_unix)[4763]: session closed for user mail
Nov 24 01:09:01 phil cron(pam_unix)[4768]: session opened for user root by (uid=0)
Nov 24 01:09:01 phil cron(pam_unix)[4768]: session closed for user root
After reading the information in /usr/share/doc/logcheck-database, I made a
file 'local' in /etc/logcheck/ignore.d.server that contains the following
lines:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
closed for user root$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
closed for user mail$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
opened for user mail by \ (uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
opened for user root by \ (uid=[0-9]+\)$
But this had no effect at all. I then placed this file in
/etc/logcheck/violations.ignore.d/local but it also had no effect there. As
far as I can tell, my rules files in the /etc/logcheck directories are having
no effect. These rules do find the relevant lines when I use them manually
with egrep. My /etc/logcheck/logcheck.conf file contains the following:
REPORTLEVEL="server"
SENDMAILTO="ric"
RULEDIR="/etc/logcheck"
ATTACKSUBJECT="Attack Alerts"
SECURITYSUBJECT="Security Events"
#EVENTSSUBJECT="System Events"
I am also puzzled that I still get a System Events subject line section, even
though this line is commented out in logcheck.conf.
Any suggestions would be appreciated; I've tried many different regexp
in the files, and nothing seems to work. Thanks,
Ric
Reply to: