> ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ CRON\[[0-9]+\]:
> pam_[[:alnum:]]+\(cron:session\): session (opened|closed) for user
> [[:alnum:]-]+(\(uid=[[:digit:]]+\))?( by \(uid=[0-9]+\))?$
>
> Notice the "by" now has a username
>
> The fix is pretty easy, add an optional second username. Below is my
> line to remove that message:
>
> ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ CRON\[[0-9]+\]:
> pam_[[:alnum:]]+\(cron:session\): session (opened|closed) for user
> [[:alnum:]-]+(\(uid=[[:digit:]]+\))?( by ([[:alnum:]-]+)?\(uid=[0-9]+\))?$
The username is only optional for the "opened", but never present on
closed, so we need rules are of the form
#
https://sources.debian.org/src/pam/1.5.3-7/modules/pam_unix/pam_unix_sess.c/#L100
$X: pam_[[:alnum:]]+\(cron:session\): session opened for user
$USERNAME+\(uid=$UID\) by $USERNAME*\(uid=$UID\)$
#
https://sources.debian.org/src/pam/1.5.3-7/modules/pam_unix/pam_unix_sess.c/#L130
$X: pam_[[:alnum:]]+\(cron:session\): session closed for user $USERNAME+$
