[Logcheck-devel] Bug#290195: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo log entries

Geoff Crompton geoff.crompton at strategicdata.com.au
Wed Jan 12 23:46:57 UTC 2005 

Package: logcheck
Version: 1.2.32
Severity: normal

It seems when someone runs a sudo command on my system, logcheck misses
it.
The second line of /etc/logcheck/violations.d/sudo matches them, but 
the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.

Furthermore, when users run commands like '$ sudo rm *' in a directory
with lots of files, we reports with lines like:
Jan 13 09:42:34 localhost sudo:     root : (command continued)
./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz

Can this be changed to one of the following scenarios:
a) sudo command is reported, and the (command continued) lines are also.
b) sudo command is reported, but (command continued) lines are not.
c) neither sudo command is reported, nor the (command continued) lines.

I've included a rule to ignore the command continued:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$


Cheers,


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.11               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.32                  A database of system log rules for
ii  logtail          1.2.32                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii  perl             5.8.4-5                 Larry Wall's Practical Extraction 
ii  postfix [mail-tr 2.1.4-5                 A high-performance mail transport 
ii  sysklogd [system 1.4.1-16                System Logging Daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

More information about the Logcheck-devel mailing list