On Thu, 15 Apr 2004 02:01, Jeff Coppock <[EMAIL PROTECTED]> wrote: > I'm having trouble with getting entries here to work. I have the > following /var/log/auth.log messages that I want to filter out of > logcheck (version 1.2.16, sarge): > > CRON[15302]: (pam_unix) session opened for user root by (uid=0) > CRON[15302]: (pam_unix) session closed for user root > CRON[15613]:(pam_unix) session opened for user mail by (uid=0) > CRON[15613]:(pam_unix) session closed for user mail > > So, I have the following entry in /etc/logcheck/logcheck.ignore:
Try this one: CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user (root)|(mail) You hadn't accounted for the optional space after the ':' (or was that a typo?), the "\[.*\]" part is better than just a ".*" (imagine if you could fool cron about the user-name to log), also a ".*" on the end is redundant. For having two different words match you need to put each word in braces, "(opened|closed)" is the same as "opene(d|c)losed". For the benefit of other readers, '.' in a regular expression matches any character and '*' means zero or more instances of the previous atom. See regex(7) for more details. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
