On 14 Apr 2004 20:35:19 GMT Paul Hink <[EMAIL PROTECTED]> wrote: > Russell Coker <[EMAIL PROTECTED]> wrote: > > > Try this one: > > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user > > (root)|(mail) > > > [...] > > > For having two different words match you need to put each word in > > braces, "(opened|closed)" is the same as "opene(d|c)losed". > > No! > > "session (opened|closed) for user" matches "session opened for user" > and "session closed for user" which is what is needed here. "session > (opened)|(closed) for user" matches "session opened" and "closed for > user" which does not make much sense in this context.
Using either variation appears to be working, but that's most likely due to the simplicity of the message. Based on your description, it makes more sense to me to use "(opened|closed)". jc -- Jeff Coppock Systems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
