[Logcheck-devel] Bug#593482: Please update violations.ignore.d/logcheck-sudo to ignore regular messages

Michel Messerschmidt lists at michel-messerschmidt.de
Wed Aug 18 14:31:51 UTC 2010 

Package: logcheck
Version: 1.3.11
Severity: normal
Tags: patch

logcheck does not filter some sudo log messages that I consider false positives. 

One message is caused by executing "sudo -l":
Aug 18 16:14:24 rio sudo:      mic : TTY=pts/1 ; PWD=/home/mic ; USER=root ; COMMAND=list

The other message is caused by system shutdown through slim:
Aug 17 14:24:26 rio sudo:     root : TTY=console ; PWD=/ ; USER=root ; COMMAND=/sbin/shutdown -h now SliM F11 initiated system shutdown


This change works for me:
--- logcheck/violations.ignore.d/logcheck-sudo	(revision 286)
+++ logcheck/violations.ignore.d/logcheck-sudo	(working copy)
@@ -1,5 +1,5 @@
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo: pam_krb5\(sudo:auth\): user [[:alnum:]-]+ authenticated as [[:alnum:]-]+@[.A-Z]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|console|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=((/(usr|etc|bin|sbin)/|sudoedit ).*|list)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\): session closed for user [[:alnum:]-]+$



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages logcheck depends on:
ii  adduser                       3.112      add and remove users and groups
ii  cron                          3.0pl1-113 process scheduling daemon
ii  exim4-daemon-light [mail-tran 4.72-1     lightweight Exim MTA (v4) daemon
ii  lockfile-progs                0.1.15     Programs for locking and unlocking
ii  logtail                       1.3.11     Print log file lines that have not
ii  mime-construct                1.11       construct/send MIME messages from 
ii  rsyslog [system-log-daemon]   4.6.4-1    enhanced multi-threaded syslogd

Versions of packages logcheck recommends:
ii  logcheck-database             1.3.11     database of system log rules for t

Versions of packages logcheck suggests:
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied: u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied: u'/etc/logcheck/logcheck.logfiles'

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20100818/f061065a/attachment.pgp>

More information about the Logcheck-devel mailing list