[Logcheck-devel] Bug#290195: violations.d/sudo and violations.ignore.d/logcheck-sudo missing sudo log entries
Geoff Crompton
geoff.crompton at strategicdata.com.au
Wed Jan 12 23:46:57 UTC 2005
Package: logcheck
Version: 1.2.32
Severity: normal
It seems when someone runs a sudo command on my system, logcheck misses
it.
The second line of /etc/logcheck/violations.d/sudo matches them, but
the /etc/logcheck/violations.ignore.d/logcheck-sudo kills them.
Furthermore, when users run commands like '$ sudo rm *' in a directory
with lots of files, we reports with lines like:
Jan 13 09:42:34 localhost sudo: root : (command continued)
./munin/munin-node.log.2.gz ./munin/munin-node.log.1.gz
Can this be changed to one of the following scenarios:
a) sudo command is reported, and the (command continued) lines are also.
b) sudo command is reported, but (command continued) lines are not.
c) neither sudo command is reported, nor the (command continued) lines.
I've included a rule to ignore the command continued:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: +\w+ : \(command continued\).*$
Cheers,
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Versions of packages logcheck depends on:
ii adduser 3.59 Add and remove users and groups
ii cron 3.0pl1-86 management of regular background p
ii debconf [debconf 1.4.30.11 Debian configuration management sy
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii lockfile-progs 0.1.10 Programs for locking and unlocking
ii logcheck-databas 1.2.32 A database of system log rules for
ii logtail 1.2.32 Print log file lines that have not
ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii perl 5.8.4-5 Larry Wall's Practical Extraction
ii postfix [mail-tr 2.1.4-5 A high-performance mail transport
ii sysklogd [system 1.4.1-16 System Logging Daemon
-- debconf information:
logcheck/changes:
* logcheck/install-note:
More information about the Logcheck-devel
mailing list