[Logcheck-devel] Bug#444470: /etc/logcheck/violations.ignore.d/logcheck-ssh: Updated "authentication failure" rule
Frédéric Brière
fbriere at fbriere.net
Mon Mar 17 00:58:32 UTC 2008
In article <20080120021013.GA2871__36835.8155632906$1200797204$gmane$org at nexus.elho.net> you wrote:
> Looking at those two lines, they could just be different versions of
> the same thing, here are the commented differences:
Take my word: you'll live longer if you don't try to make sense of ssh
log messages. (I *swear* I once got different messages by doing the
same thing on two servers running the same version with the same
configuration.)
> * the second omits the PID of the ssh daemon - mistake or did older
> messages look like that? (the ones I see do have the PID)
Me too. The second line comes from aa313203, a large (and pretty
recent) commit by Aaron M. Ucko.
> * the second does use the new PAM format - but does the part after
> ssh: really need to match anything but auth?
I would guess so, since this line should be the result of pam_unix
failing during the auth phase.
As for the rest, I'll leave it to you to merge these two lines if you
wish. Me, I'll just do the strict minimum and run away.
--
* JHM wonders what Joey did to earn "I'd just like to say, for the record,
that Joey rules."
-- Seen on #Debian
More information about the Logcheck-devel
mailing list