Hi, I am running logcheck 1.2.28 on Debian testing but am unable to modify the rules to prevent certain information being mailed to me. I get loads of messages like the following in the System Events section of the email: Nov 24 01:08:01 phil cron(pam_unix)[4763]: session opened for user mail by (uid=0) Nov 24 01:08:01 phil cron(pam_unix)[4763]: session closed for user mail Nov 24 01:09:01 phil cron(pam_unix)[4768]: session opened for user root by (uid=0) Nov 24 01:09:01 phil cron(pam_unix)[4768]: session closed for user root After reading the information in /usr/share/doc/logcheck-database, I made a file 'local' in /etc/logcheck/ignore.d.server that contains the following lines: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session closed for user root$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session closed for user mail$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session opened for user mail by \ (uid=[0-9]+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_unix\)\[[0-9]+\]: session opened for user root by \ (uid=[0-9]+\)$ But this had no effect at all. I then placed this file in /etc/logcheck/violations.ignore.d/local but it also had no effect there. As far as I can tell, my rules files in the /etc/logcheck directories are having no effect at all. These rules do find the relevant lines when I use them manually with egrep. My /etc/logcheck/logcheck.conf file contains the following: REPORTLEVEL="server" SENDMAILTO="ric" RULEDIR="/etc/logcheck" ATTACKSUBJECT="Attack Alerts" SECURITYSUBJECT="Security Events" #EVENTSSUBJECT="System Events" I am also puzzled that I still get a System Events subject line section, even though this line is commented out in logcheck.conf. Any suggestions would be appreciated; I've tried lots of different regexp in the files, and nothing seems to work. I'm wondering if there is some setting I need to change in order to get logcheck to read the rule files. Thanks, Ric