Hi there,
I know this is the classic RTFM list question but... I've really tried
hard on this and no result!
This is what I'm receving from logcheck:
System Events
=-=-=-=-=-=-Apr 3 06:55:13 bsg sshd[32246]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr 3 06:55:19 bsg sshd[32248]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr 3 06:55:25 bsg sshd[32250]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
I want to filter it out so, on /etc/logcheck/ignore.d.server/local
I've put this line:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:
pam_unix\(sshd?:[[:alnum:]]+\): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=[0-9.]{7,15}( +user=[a-Z0-9]+)?$
Which I tested as this:
bsg:/etc/logcheck/ignore.d.server# sed -e 's/[[:space:]]*$//'
/var/log/auth.log | egrep '^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
sshd\[[[:digit:]]+\]: pam_unix\(sshd?:[[:alnum:]]+\): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[0-9.]{7,15}(
+user=[a-Z0-9]+)?$'
Apr 1 09:33:19 bsg sshd[19707]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.218.176
user=root
Apr 1 09:33:28 bsg sshd[19710]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.218.176
user=root
Apr 1 09:33:37 bsg sshd[19713]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.218.176
user=root
Apr 2 22:44:14 bsg sshd[32730]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.184.76.83
Apr 2 22:44:19 bsg sshd[32732]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.184.76.83
user=root
Apr 2 22:44:26 bsg sshd[32734]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.184.76.83
Apr 3 06:55:13 bsg sshd[32246]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr 3 06:55:19 bsg sshd[32248]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Apr 3 06:55:25 bsg sshd[32250]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.233.245.226
user=root
Which as you see seems a correct rule.
And yes, my report level is configured to server. This is my config
(whithout comments/blank lines):
INTRO=0
REPORTLEVEL="server"
SENDMAILTO="root"
MAILASATTACH=0
FQDN=1
TMP="/tmp"
But the line keeps coming. Please... HELP! :)
--
www.sargue.net