[Logcheck-users] problem with logcheck rules

Ric Otte ric@otte.ucsc.edu
Fri, 3 Dec 2004 06:50:18 -0800 

Hi,

I am running logcheck 1.2.28 on Debian testing but am unable to modify the
rules to prevent certain information being mailed to me.  I get loads of
messages like the following in the System Events section of the email:

Nov 24 01:08:01 phil cron(pam_unix)[4763]: session opened for user mail by (uid=0)
Nov 24 01:08:01 phil cron(pam_unix)[4763]: session closed for user mail
Nov 24 01:09:01 phil cron(pam_unix)[4768]: session opened for user root by (uid=0)
Nov 24 01:09:01 phil cron(pam_unix)[4768]: session closed for user root

After reading the information in /usr/share/doc/logcheck-database, I made a
file 'local' in /etc/logcheck/ignore.d.server that contains the following
lines:

 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
 closed for user root$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
 closed for user mail$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
 opened for user mail by \ (uid=[0-9]+\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session
 opened for user root by \ (uid=[0-9]+\)$

But this had no effect at all.  I then placed this file in
/etc/logcheck/violations.ignore.d/local but it also had no effect there.  As
far as I can tell, my rules files in the /etc/logcheck directories are having
no effect at all.  These rules do find the relevant lines when I use them
manually with egrep.  My /etc/logcheck/logcheck.conf file contains the
following:

    REPORTLEVEL="server"                                                
    SENDMAILTO="ric"    
    RULEDIR="/etc/logcheck"
    ATTACKSUBJECT="Attack Alerts"
    SECURITYSUBJECT="Security Events"
    #EVENTSSUBJECT="System Events"
I am also puzzled that I still get a System Events subject line section, even
though this line is commented out in logcheck.conf.

Any suggestions would be appreciated; I've tried lots of different regexp in
the files, and nothing seems to work.  I'm wondering if there is some setting I
need to change in order to get logcheck to read the rule files.  Thanks,

Ric