If the action is expected then create a local rule that suppresses that alert for the hostname and program_name
On Sun, Mar 11, 2012 at 11:03, Hugo Deprez <[email protected]> wrote: > Dear community, > > > each day I get an alert from the rule 40101 : > > fired (level 12) -> "System user successfully logged to the system." > > Portion of the log(s): > > > > Mar 11 15:53:38 server su[15522]: + ??? root:nobody > > > I found the script responisble for this : > > /etc/cron.daily/locate > > This script is using user nobody, which is causing the message. > > How do you deal with this alert ? Deleting the user nobody from the rules > doesn't appear as a proper solution. > > Regards, > > Hugo -- Registered Linux User # 379282
