Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Logcheck filter not working
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
psychedup
n00b
n00b


Joined: 02 Oct 2012
Posts: 17
Location: Bremerton, WA, US

PostPosted: Tue Jul 14, 2020 1:17 pm    Post subject: Logcheck filter not working Reply with quote

I've been using logcheck for a few years now. It scans my log files like /var/log/messages every hour and sends me an email with what it found.

I've had it dialed in pretty well with filters in /etc/logcheck/ignore.server.d/local-* files which contain regex expressions for things that should be filtered out. But recently it started sending me this every hour:

Code:
Security Events for su
=-=-=-=-=-=-=-=-=-=-=-
Jul 14 06:15:00 hostname su[32296]: pam_unix(su:session): session opened for user logcheck(uid=108) by (uid=0)


so I created this entry to filter it out:

Code:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]*\]: pam_unix\(su:session\): session opened for user logcheck\(uid=108\) by \(uid=0\)$


But it isn't getting filtered out. I think it's because logcheck is considering it a "Security Event" rather than a "System Event".

I'm curious if anybody else is seeing this issue and how it can be filtered out?
Back to top
View user's profile Send private message
Elleni
Veteran
Veteran


Joined: 23 May 2006
Posts: 1089

PostPosted: Mon Jul 20, 2020 7:11 pm    Post subject: Reply with quote

I see the same after my recent update, but only now found your thread.
Back to top
View user's profile Send private message
psychedup
n00b
n00b


Joined: 02 Oct 2012
Posts: 17
Location: Bremerton, WA, US

PostPosted: Sat Jul 25, 2020 1:01 pm    Post subject: Reply with quote

I was able to solve this. I had to put the filter expression in a file in /etc/logcheck/violations.ignore.d.

Code:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]*\]: pam_unix\(su:session\): session opened for user logcheck\(uid=108\) by \(uid=0\)$


I named the file "local-logcheck" and had to make sure it had the same owner and permission as the other files in that folder. That seems to have suppressed these messages.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum