These two rules are actually covered by the next ones, as the only difference is "session" being replaced with "[[:alnum:]]+".
Signed-off-by: Frédéric Brière <[EMAIL PROTECTED]> --- rulefiles/linux/ignore.d.server/logcheck | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/rulefiles/linux/ignore.d.server/logcheck b/rulefiles/linux/ignore.d.server/logcheck index 767e27f..a2272ec 100644 --- a/rulefiles/linux/ignore.d.server/logcheck +++ b/rulefiles/linux/ignore.d.server/logcheck @@ -1,7 +1,5 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:session\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:session\): session closed for user [.[:alnum:]-]+$ # new pam format ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$ -- 1.5.3.8 _______________________________________________ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel