[Logcheck-users] ignore-rules being ignored?
Mark Edwards
mark at antsclimbtree.com
Wed Sep 20 19:43:59 UTC 2006
> Hello All,
>
> I am using logcheck 1.2.39 on Debian and am experiencing that the
> following in /etc/logcheck/ignore.d.server/ssh is being ignored:
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Accepted
> (gssapi|rsa|dsa|password|publickey|keyboard-interactive/pam) for
> [^[:space:]]+ from [^[:space:]]+ port [0-9]+ (ssh|ssh2)$
>
> When I test the rule with egrep on /var/log/auth, the lines show up, so
> the line should be correct. However, all SSH logins are reported as
> Security Events nevertheless... What could this be? I'd be thankful for
> any hint!
>
> Greetz,
> Kilian
I too experience this with sshd. I have a rule to ignore failed root
login attempts and it works with egrep, but still the lines are reported.
--
Mark Edwards
More information about the Logcheck-users
mailing list