03.25.05
debian logcheck nonsense
For a while now I’ve been getting spammed by logcheck running on one of the servers i maintain. I had upgraded some random packages, and now started getting the following consistent messages:
Mar 25 14:23:01 localhost cron(pam_unix)[3477]: session opened for user mail by (uid=0)
Mar 25 14:23:01 localhost cron(pam_unix)[3477]: session closed for user mail
It turns out that sometime from pam .76-14 to pam .76-22 (the libpam-modules package in particular), the format of libpam reporting was changed to:
Mar 25 14:39:01 localhost CRON[3581]: (pam_unix) session opened for user root by (uid=0)
Mar 25 14:39:01 localhost CRON[3581]: (pam_unix) session closed for user root
Here is the cvs diff in logcheck concrning this issue. Here is the main logcheck homepage. For quick reference, here are the two regex commands that work for the older version:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_[[:alnum:]]+\)\[[0-9]+\]: session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cron\(pam_[[:alnum:]]+\)\[[0-9]+\]: session closed for user [[:alnum:]-]+$
To test the regex:
egrep -v -f rules/ignore.d.paranoid/cron < test2.log
assuming the rule is in the file cron, and test2.log is a sample of the log output. Another interesting tidbit of logcheck, is that it always runs all *more* restrictive rules.. ie “server” implicitly includes “paranoid” and “workstation” includes “server”.