thr3ads.net - Logcheck users - [Logcheck-users] Why does this rule not work? [Jan 2015]

If this information is useful, please help other people find it:
Share via:

dietmar.4711 at web.de

2015-Jan-12 01:22 UTC

[Logcheck-users] Why does this rule not work?

Hello,

I have log output from git in my auth.log which I want to eliminate.

All lines begin like this:
Jan 11 23:36:21 mg sudo:      git :

I now created this rule:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo:      git :

Regarding the output from "logcheck-test", this just works fine:
--- snip ---
logcheck-test -a '^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo:      git
:'
Jan 11 23:36:21 mg sudo:      git : TTY=unknown ;

===============================================================================parsed
file: /var/log/auth.log
used rule: '^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sudo:      git :'
--- snap ---

But I am getting this in my logheck mails over and over again, it seems to be
ignored completely.

I am sure the rule exists in the correct file, since other manually added rules
there (e.g. rules to eliminate some sshd output in auth.log) just work fine.

Any ideas?

Thank you,
Dietmar

Logcheck users - Jan 2015 - Why does this rule not work?

[Logcheck-users] Why does this rule not work?