Thank you for reporting this bug and helping to make Ubuntu better. As far as I can tell, the line you've provided should be matched by the following line, from /etc/logcheck/ignore.d.paranoid/cron:
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ CRON\[[0-9]+\]: pam_[[:alnum:]]+\(cron:session\): session (opened|closed) for user [[:alnum:]-]+(\(uid=[[:digit:]]+\))?( by \(uid=[0-9]+\))?$ For my locale I used this as test log file input: Apr 05 14:57:01 logcheck CRON[6191]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) I created this by creating a cronjob to run every minute. After the log line appeared, I also tried "sudo -u logcheck logcheck -o -t" and the line was *not* reported (matching expected behaviour). Additionally, logcheck-test output is as follows: # logcheck-test -q -l ~/test.log -r /etc/logcheck/ignore.d.paranoid/cron && echo match Apr 05 14:57:01 logcheck CRON[6191]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0) match So it looks like that line is matching as expected. logcheck(8) says: > The ignore rules work in additive manner. "paranoid" rules are also included at level "server". "workstation" level includes both "paranoid" and "server" rules. Therefore, if it matches paranoid rules, it should be sufficient for all settings. I see from your report that you have extensive logcheck configuration customisations. Is this interfering with this expectation somehow? It might be that ignore.d.server/logcheck could be improved with the newer PAM patterns, but to justify making a specific change in Ubuntu directly I need a specific failure case that I can reproduce please. Otherwise, code quality improvements should probably be sent as merge requests directly to https://salsa.debian.org/debian/logcheck instead. Since I cannot reproduce the behaviour you're experiencing, I'm marking the bug as Incomplete for Ubuntu. If this turns out to be a local configuration issue, please set the status as Invalid. If you can provide steps to reproduce or have a correction to make to my analysis, please do that in a comment and then change the status back to New. Thanks! ** Changed in: logcheck (Ubuntu) Status: Triaged => Incomplete ** Changed in: logcheck (Ubuntu) Assignee: Robie Basak (racb) => (unassigned) ** Tags removed: server-todo ** Tags removed: bitesize -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059857 Title: logcheck report flooded with cron session lines To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logcheck/+bug/2059857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs