On Tue, Dec 09, 2008 at 12:28:25PM +0100, Paolo wrote:
> > ignore.d.server rules won't filter out security events. I guess it's
> > matched as such because of the contained /failure/ in the line. I'm not
FWIW, this will no longer be the case with logcheck 1.3.x.
> which is fine for stock sysklogd, but socklog's format is eg
>
> /var/log/socklog/main/current
> auth.info: Dec 9 02:39:01 CRON[31998]: (pam_unix) session closed for user
> root
Ouch.
> /var/log/socklog-klog/main/current
> 2008-12-03_16:50:42.17649 kern.warn: ide: failed opcode was: unknown
Yuck. (Why would socklog choose two different formats anyway?)
> While I did change patterns in ignore.d.server/*, I overlooked those in
> violations.ignore.d/* :-}
Are you saying you updated *all* rules files to that syntax? How do you
keep your sanity when a new version of logcheck is released?
--
* liiwi takes the whip and eyes pasc
< pasc> ohh!!! kinky!
< pasc> how convenient, I was just about to call in sick at work ;-)
-- in #debian-devel
_______________________________________________
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
