We have a custom file for logcheck ignore patterns. Today I decided to add another one but it isn't working as smoothly as I'm used to.
What I normally do is craft a regular expression that will match the line(s) I need to ignore using egrep, and then just put the regex in the /etc/logcheck/ignore.d.server/local file. This time it's not working and I'm stumped as to why.
These are the types of entries I want to exclude:
Oct 19 17:32:15 box sudo: pam_unix(sudo:session): session opened for user logcheck by graeme(uid=0)
Oct 19 17:32:15 box sudo: pam_unix(sudo:session): session closed for user logcheck
This is my regex pattern:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session (opened|closed) for user [a-z0-9.-]+( by [a-z0-9.-]+\(uid=[0-9]+\))?$
Nothing too hectic, and using that pattern with egrep on the /var/log/auth.log file shows me all the lines I want ignored. Anyone have any pointers as to why logcheck isn't ignoring the lines?
According to launchpad bug #243693 every sudo event is handled at the violations layer.
In addition to including your regex in
/etc/logcheck/ignore.d.server/local
you may also have to include it in/etc/logcheck/violations.ignore.d/logcheck-sudo