Thank you for reporting this bug and helping to make Ubuntu better.
As far as I can tell, the line you've provided should be matched by the
following line, from /etc/logcheck/ignore.d.paranoid/cron:
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ CRON\[[0-9]+\]:
pam_[[:alnum:]]+\(cron:session\): session (opened|closed) for user
[[:alnum:]-]+(\(uid=[[:digit:]]+\))?( by \(uid=[0-9]+\))?$
For my locale I used this as test log file input:
Apr 05 14:57:01 logcheck CRON[6191]: pam_unix(cron:session): session
opened for user root(uid=0) by (uid=0)
I created this by creating a cronjob to run every minute. After the log
line appeared, I also tried "sudo -u logcheck logcheck -o -t" and the
line was *not* reported (matching expected behaviour).
Additionally, logcheck-test output is as follows:
# logcheck-test -q -l ~/test.log -r /etc/logcheck/ignore.d.paranoid/cron &&
echo match
Apr 05 14:57:01 logcheck CRON[6191]: pam_unix(cron:session): session opened for
user root(uid=0) by (uid=0)
match
So it looks like that line is matching as expected.
logcheck(8) says:
> The ignore rules work in additive manner. "paranoid" rules are also
included at level "server". "workstation" level includes both "paranoid"
and "server" rules.
Therefore, if it matches paranoid rules, it should be sufficient for all
settings. I see from your report that you have extensive logcheck
configuration customisations. Is this interfering with this expectation
somehow?
It might be that ignore.d.server/logcheck could be improved with the
newer PAM patterns, but to justify making a specific change in Ubuntu
directly I need a specific failure case that I can reproduce please.
Otherwise, code quality improvements should probably be sent as merge
requests directly to https://salsa.debian.org/debian/logcheck instead.
Since I cannot reproduce the behaviour you're experiencing, I'm marking
the bug as Incomplete for Ubuntu. If this turns out to be a local
configuration issue, please set the status as Invalid. If you can
provide steps to reproduce or have a correction to make to my analysis,
please do that in a comment and then change the status back to New.
Thanks!
** Changed in: logcheck (Ubuntu)
Status: Triaged => Incomplete
** Changed in: logcheck (Ubuntu)
Assignee: Robie Basak (racb) => (unassigned)
** Tags removed: server-todo
** Tags removed: bitesize
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2059857
Title:
logcheck report flooded with cron session lines
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logcheck/+bug/2059857/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
