Robert Ramiega wrote: <snip> > named[.*]: USAGE .* .* CPU=.*/.* CHILDCPU=.*/.* > PAM_unix[.*]: (ssh) session opened for user .* by (.*) > > and i still get in logcheck mails: > Dec 13 23:46:53 plukwa named[159]: USAGE 945125213 945085613 CPU=61.74u/56.5s > CHILDCPU=0u/0s > Dec 13 23:04:55 plukwa PAM_unix[17035]: (ssh) session opened for user root by > (uid=0) > > Those 2 lines (both from logcheck.ignore and logcheck mails) are not the > only ones (basically any line with named, PAM_unix and so on gets reported > under Unsual Events and some of those lines came with package and were not > modified by me). > Can someone help me? > > (just popped into my head... does th case of regex matter? it's the same as > in /var/log/messages but....) > > -- > Robert Ramiega | [EMAIL PROTECTED] IRC: _Jedi_ | Don't underestimate > UIN: 13201047 | http://plukwa.pdi.net/ | the power of Source
Your patterns don't match because the brackets [] are treated as metacharacters and you need to escape them to match : "named\[.*\]:" (minus the quotes). The logcheck script is in /usr/sbin/logcheck.sh - the script uses grep to do the pattern matching. From the source and the grep(1) manpage, it seems that for the lines to include in the log (logcheck.hacking and logcheck.violations) the matching is case-insensitive, but for the exclusions (logcheck.violations.ignore and logcheck.ignose) the matching is case-sensitive. HTH. -- Regards, Paul
