I am troubleshooting a new cron line that is triggering logcheck.
Other cron entries do not trigger logcheck, even though they are
logged in /var/log/syslog
This is a security trigger, and I know it is because of certain words
in the cron entry. What I can't figure out is which entry in
logcheck is ignoring the other cron events? Here is a cron log from
syslog that does not trigger logcheck:
Jul 30 13:50:01 labserver /USR/SBIN/CRON[20237]: (www-data) CMD (/usr/
share/cacti/site/poller.php >/dev/null 2>/var/log/cacti/poller-
error.log)
and here is the standard /etc/logcheck/ignore.d.server/cron:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+
\) LIST \([[:alnum:]-]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+
\) REPLACE \([[:alnum:]-]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+
\) (BEGIN|END) EDIT \([[:alnum:]-]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: nss_ldap: reconnect
(ing|ed) to LDAP server(\.\.\.| after [0-9]+ attempt\(s\))$
Clearly none of those lines are ignoring the cron log line above.
Can someone point out which line actually ignores cron logs?
Thanks.
--
Mark Edwards
