[PLUG] syslog.conf
Chris Jantzen
chris at maybe.net
Wed Jan 21 06:35:06 UTC 2004
On Tue, Jan 20, 2004 at 10:47:36PM -0800, Guy Noire wrote:
> I need to get these lines out of /var/log/auth.log
>
>
> Jan 20 22:39:01 kosmal cron(pam_unix)[12621]: session closed for user kevan
> [...]
>
> So I changed /etc/syslog.conf to this.
>
>
> auth,authpriv.*;cron.none /var/log/auth.log
> <added cron.none>
>
> Question is ??
>
> What am I doing wrong??
> Shouldn't that stop cron logging in auth.log??
You'd think so, eh?
> I am missing something here..
The log lines in question *aren't* coming from cron, they're coming
from pam_unix.so and they're coming at authpriv.info, not cron.*. The
following may work (untested):
authpriv.!info;auth,authpriv.* /var/log/auth.log
Although this may lose information in other ways.
What you should do is use a program like logcheck to filter and send
you email of suspicious log entries. Then you can tweak the filters
with regex's to get rid of this stuff on a more fine-grained level.
HTH
--
chris kb7rnl =->
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20040121/ab96a39b/attachment.asc>
More information about the PLUG
mailing list