Problem mit Logcheck Ignoreliste

Mordor

Registered User
Und Nochmal ich.
Irgendwie häufen sich Momentan die Porbleme!
Ich hab mir gester Logcheck installiert, über apt-get. Das funktioniert auch ganz gut. Nur bekomme ich zuviele Messeges in den Mails. Jetzt würde ich gerne von Logcheck einige Nachrichten ignorieren lassen, vorallem die von Cron.
Hier mal die Config von Logcheck:
Code:
# which can be uncommented and modified to alter logcheck's behaviour

# Controls the format of date-/time-stamps in subject lines:
# Alternatively, set the format to suit your locale

#DATE="$(date +'%Y-%m-%d %H:%M')"

#
# Controls the presence of boilerplate at the top of each message:
# Alternatively, set to "0" to disable the introduction.
#
# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
# are present their contents will be read and used as the header and
# footer of any generated mails.
#
#INTRO=1

# Controls the level of filtering:
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.

REPORTLEVEL="server"

# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "[email protected]"

SENDMAILTO="root"

# Should the hostname in the subject of generated mails be fully qualified?
FQDN=1

# Controls whether "sort -u" is used on log entries (which will
# exceptions to the rules in /etc/logcheck/cracking.d:
# Alternatively, set to "1" to enable cracking.ignore support

#SUPPORT_CRACKING_IGNORE=0

# Controls the base directory for rules file location
# This must be an absolute path

#RULEDIR="/etc/logcheck"

# Controls if syslog-summary is run over each section.
# Alternatively, set to "1" to enable extra summary.

SYSLOGSUMMARY=1

# Controls Subject: lines on logcheck reports:

#ATTACKSUBJECT="Security Alerts"
#SECURITYSUBJECT="Security Events"
#EVENTSSUBJECT="System Events"

# Controls [logcheck] prefix on Subject: lines

# ADDTAG="no"
Nachdem REPORTLEVEL auf Server steht, dachte ich mir, dass die Ignore-Regeln nach ignore.d.Server müssen, und habe eben auch da eine neue Regel erstellt.
Zuerst mal der Logeintrag, der ignoriert werden soll:
Code:
Nov  6 11:05:01 Debian-40-etch-32-minimal CRON[20509]: (pam_unix) session opened for user munin by (uid=0)
Nov  6 11:05:01 Debian-40-etch-32-minimal CRON[20511]: (pam_unix) session opened for user root by (uid=0)
und das wollte ich mit folgenden Regeln machen:
Code:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]*\]: \(pam_unix\) session opened for user root by (uid=0)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]*\]: \(pam_unix\) session closed for user root
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]*\]: \(pam_unix\) session opened for user munin by (uid=0)
Und das funktioniert eben nicht.
Kann mir vieleicht jemand sagen, wo ich da falsch bin?

System Debian Etch auf Hetzner root

Gruß Mordor
 
Top