Jeff Coppock <[EMAIL PROTECTED]> wrote: > On 14 Apr 2004 20:35:19 GMT Paul Hink <[EMAIL PROTECTED]> wrote: > >> Russell Coker <[EMAIL PROTECTED]> wrote: >> >> > Try this one: >> > CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user >> > (root)|(mail)
>> [...] >> "session (opened|closed) for user" matches "session opened for user" >> and "session closed for user" which is what is needed here. "session >> (opened)|(closed) for user" matches "session opened" and "closed for >> user" which does not make much sense in this context. > > Using either variation appears to be working, but that's most likely > due to the simplicity of the message. Well, CRON\[.*\]:( )?\(pam_unix\) session (opened)|(closed) for user (root)|(mail) matches every line matching one of the following expressions: CRON\[.*\]:( )?\(pam_unix\) session (opened) (closed) for user (root) (mail) So for example logcheck won't report any line containing the string "mail" any more which probably is not what you want. Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
