[Logcheck-devel] Bug#545318: logcheck-database: please add rule for newgrp messages

Martin Mazur debian at teclabs.eu
Sun Sep 6 13:00:21 UTC 2009


Package: logcheck-database
Version: 1.2.69
Severity: wishlist

Hello,

when newgrp (part of the package login) is used, I see messages
like this in my syslog:

Aug 27 23:36:16 debian64 newgrp[1975]: user `root' (login `root' on tty1) 
switched to group `backup'

Aug 27 19:28:15 srv1 newgrp[10082]: user `root' (login `mazur' on pts/1) 
switched to group `backup'
Aug 27 19:28:19 srv1 newgrp[10082]: user `root' (login `mazur' on pts/1) 
returned to group `root'
Aug 27 19:32:37 srv1 newgrp[10132]: user `root' (login `mazur' on pts/0) 
switched to group `backup'
Aug 27 19:34:01 srv1 newgrp[10155]: user `root' (login `mazur' on pts/0) 
switched to group `backup'
Aug 27 19:34:18 srv1 newgrp[10155]: user `root' (login `mazur' on pts/0) 
returned to group `backup'
Aug 27 19:34:22 srv1 newgrp[10132]: user `root' (login `mazur' on pts/0) 
returned to group `root'
Aug 27 19:34:32 srv1 newgrp[10178]: user `root' (login `mazur' on pts/0) 
switched to group `backup'
Aug 27 19:34:55 srv1 newgrp[10178]: user `root' (login `mazur' on pts/0) 
returned to group `root'

The attached file contain a rule to ignore them. I've tested the rule and
it is working.

With best regards,

Martin

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

-- no debconf information
-------------- next part --------------
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ newgrp\[[0-9]+\]: user `[._[:alnum:]-]+' \(login `[._[:alnum:]-]+' on (pts/[0-9]+|tty[0-9]+)\) (returned|switched) to group `[._[:alnum:]-]+'$


More information about the Logcheck-devel mailing list