> Date: Wed, 14 Apr 2004 11:27:55 -0700 > From: Jeff Coppock <[EMAIL PROTECTED]>
> On Thu, 15 Apr 2004 03:49:35 +1000 > Russell Coker <[EMAIL PROTECTED]> wrote: > > > On Thu, 15 Apr 2004 02:01, Jeff Coppock <[EMAIL PROTECTED]> wrote: > > > I'm having trouble with getting entries here to work. I have the > > > following /var/log/auth.log messages that I want to filter out of > > > logcheck (version 1.2.16, sarge): > > > > > > CRON[15302]: (pam_unix) session opened for user root by (uid=0) > > > CRON[15302]: (pam_unix) session closed for user root > > > CRON[15613]:(pam_unix) session opened for user mail by (uid=0) > > > CRON[15613]:(pam_unix) session closed for user mail > > > > > > So, I have the following entry in /etc/logcheck/logcheck.ignore: > > > > Try this one: > > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user > > (root)|(mail) Careful about the parentheses. See below. > Trying it now. I'm not sure about the use of the logcheck.ignore file > since when I run logcheck -d (debug mode), I don't see that file being > accessed. I'll try using the cron file in the ignore.d.server > directory. > > > You hadn't accounted for the optional space after the ':' (or was that > > a typo?), the "\[.*\]" part is better than just a ".*" (imagine if you > > could fool cron about the user-name to log), also a ".*" on the end is > > redundant. This: > > For having two different words match you need to put each > > word in braces, "(opened|closed)" is the same as "opene(d|c)losed". is probably not true. At least it isn't in woody, and I would regard it a bug if that suddenly changed. It would also be a highly unusual implementation of regular expressions. For example, I have in /etc/logcheck/ignore.d/local a working entry: anacron\[[0-9]+\]: Job `cron\.(daily|weekly|monthly)' (started|terminated)$ that would break if this were suddenly true. To turn it around, you could match your 4 lines for example like this: CRON\[[0-9]+\]: ?\(pam_unix\) session (opened|closed) for user (mail|root)( by \(uid=0\))? > Okay, use of the braces makes sense. That space thing wasn't a typo, > just my ignorance. I think it will just have been the space. You could just add a "?" after the ": " in your original expression (which would bind to the space only, in the absence of parentheses). Regards, Marco -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
