[Logcheck-users] problem with logcheck rules
Ric Otte
ric@otte.ucsc.edu
Fri, 3 Dec 2004 06:50:18 -0800
Hi,
I am running logcheck 1.2.28 on Debian testing but am unable to modify the
rules to prevent certain information being mailed to me. I get loads of
messages like the following in the System Events section of the email:
Nov 24 01:08:01 phil cron(pam_unix)[4763]: session opened for user mail by (uid=0)
Nov 24 01:08:01 phil cron(pam_unix)[4763]: session closed for user mail
Nov 24 01:09:01 phil cron(pam_unix)[4768]: session opened for user root by (uid=0)
Nov 24 01:09:01 phil cron(pam_unix)[4768]: session closed for user root
After reading the information in /usr/share/doc/logcheck-database, I made a
file 'local' in /etc/logcheck/ignore.d.server that contains the following
lines:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
closed for user root$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
closed for user mail$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
opened for user mail by \ (uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
opened for user root by \ (uid=[0-9]+\)$
But this had no effect at all. I then placed this file in
/etc/logcheck/violations.ignore.d/local but it also had no effect there. As
far as I can tell, my rules files in the /etc/logcheck directories are having
no effect at all. These rules do find the relevant lines when I use them
manually with egrep. My /etc/logcheck/logcheck.conf file contains the
following:
REPORTLEVEL="server"
SENDMAILTO="ric"
RULEDIR="/etc/logcheck"
ATTACKSUBJECT="Attack Alerts"
SECURITYSUBJECT="Security Events"
#EVENTSSUBJECT="System Events"
I am also puzzled that I still get a System Events subject line section, even
though this line is commented out in logcheck.conf.
Any suggestions would be appreciated; I've tried lots of different regexp in
the files, and nothing seems to work. I'm wondering if there is some setting I
need to change in order to get logcheck to read the rule files. Thanks,
Ric