我使用 logcheck 已经十多年了,从来没有出过问题。现在有些消息被忽略了,我实在想不通为什么。
我的ignore.d.server/_self包含:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_unix\(sudo:session\): session (opened|closed) for user (root|logcheck)( by \(uid=0\))?$
然而,我仍然每天收到好几封包含以下内容的电子邮件:
Apr 6 19:41:09 radix sudo[4357]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 6 19:41:09 radix sudo[4357]: pam_unix(sudo:session): session closed for user root
这些应该不是出现。我相信我的正则表达式没有问题——你可以看到它们匹配:
# echo 'Apr 6 19:41:09 radix sudo[4357]: pam_unix(sudo:session): session opened for user root by (uid=0)' | egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_unix\(sudo:session\): session (opened|closed) for user (root|logcheck)( by \(uid=0\))?$'
Apr 6 19:41:09 radix sudo[4357]: pam_unix(sudo:session): session opened for user root by (uid=0)
#
# echo 'Apr 6 19:41:09 radix sudo[4357]: pam_unix(sudo:session): session closed for user root' | egrep '^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo\[[0-9]+\]: pam_unix\(sudo:session\): session (opened|closed) for user (root|logcheck)( by \(uid=0\))?$'
Apr 6 19:41:09 radix sudo[4357]: pam_unix(sudo:session): session closed for user root
#
为什么这些消息没有被过滤?