Custom logcheck pattern matches using egrep, but logcheck doesn't exclude the relevant lines

Question

We have a custom file for logcheck ignore patterns. Today I decided to add another one but it isn't working as smoothly as I'm used to.

What I normally do is craft a regular expression that will match the line(s) I need to ignore using egrep, and then just put the regex in the /etc/logcheck/ignore.d.server/local file. This time it's not working and I'm stumped as to why.

These are the types of entries I want to exclude:

Oct 19 17:32:15 box sudo: pam_unix(sudo:session): session opened for user logcheck by graeme(uid=0)
Oct 19 17:32:15 box sudo: pam_unix(sudo:session): session closed for user logcheck

This is my regex pattern:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session (opened|closed) for user [a-z0-9.-]+( by [a-z0-9.-]+\(uid=[0-9]+\))?$

Nothing too hectic, and using that pattern with egrep on the /var/log/auth.log file shows me all the lines I want ignored. Anyone have any pointers as to why logcheck isn't ignoring the lines?

score 4 · Accepted Answer · answered Oct 19 '10 at 16:40

4

According to launchpad bug #243693 every sudo event is handled at the violations layer.

In addition to including your regex in /etc/logcheck/ignore.d.server/local you may also have to include it in /etc/logcheck/violations.ignore.d/logcheck-sudo

answered Oct 19 '10 at 16:40

flashnode

451
3
13

I think you may have hit the nail on the head. I'll check it out in the morning and report back. – ThatGraemeGuy Oct 19 '10 at 20:32
OK, that worked. I used /etc/logcheck/violations.ignore.d/local-sudo so that the custom patterns are not clobbered by package updates. – ThatGraemeGuy Oct 20 '10 at 07:53

Custom logcheck pattern matches using egrep, but logcheck doesn't exclude the relevant lines

1 Answers1