Hello All, I am using logcheck 1.2.39 on Debian and am experiencing that the following in /etc/logcheck/ignore.d.server/ssh is being ignored: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted (gssapi|rsa|dsa|password|publickey|keyboard-interactive/pam) for [^[:space:]]+ from [^[:space:]]+ port [0-9]+ (ssh|ssh2)$ When I test the rule with egrep on /var/log/auth, the lines show up, so the line should be correct. However, all SSH logins are reported as Security Events nevertheless... What could this be? I'd be thankful for any hint! Greetz, Kilian
On Wed, Sep 20, 2006 at 05:14:18PM +0200, Kilian wrote:> I am using logcheck 1.2.39 on Debian and am experiencing that the > following in /etc/logcheck/ignore.d.server/ssh is being ignored:...> When I test the rule with egrep on /var/log/auth, the lines show up, so > the line should be correct. However, all SSH logins are reported as > Security Events nevertheless... What could this be? I'd be thankful for > any hint!Security events need to be ignored in /etc/logcheck/violations.ignore.d. -- "You grabbed my hand and we fell into it, like a daydream - or a fever."
> Hello All, > > I am using logcheck 1.2.39 on Debian and am experiencing that the > following in /etc/logcheck/ignore.d.server/ssh is being ignored: > > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted > (gssapi|rsa|dsa|password|publickey|keyboard-interactive/pam) for > [^[:space:]]+ from [^[:space:]]+ port [0-9]+ (ssh|ssh2)$ > > When I test the rule with egrep on /var/log/auth, the lines show up, so > the line should be correct. However, all SSH logins are reported as > Security Events nevertheless... What could this be? I'd be thankful for > any hint! > > Greetz, > KilianI too experience this with sshd. I have a rule to ignore failed root login attempts and it works with egrep, but still the lines are reported. -- Mark Edwards