logcheck report flooded with cron session lines
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logcheck (Ubuntu) |
New
|
Medium
|
Robie Basak |
Bug Description
Ubuntu 24.04 / logcheck 1.4.3. No rsyslog installed, pure journal.
logcheck floods reports with the following lines:
...
Mär 30 05:35:01 ad525 CRON[14991]: pam_unix(
Mär 30 05:39:01 ad525 CRON[15004]: pam_unix(
Mär 30 05:45:01 ad525 CRON[15067]: pam_unix(
Mär 30 05:55:01 ad525 CRON[15102]: pam_unix(
Mär 30 06:05:01 ad525 CRON[15131]: pam_unix(
Mär 30 06:09:01 ad525 CRON[15144]: pam_unix(
Mär 30 06:15:01 ad525 CRON[15205]: pam_unix(
Mär 30 06:17:01 ad525 CRON[15212]: pam_unix(
...
There is a line in /etc/logcheck/
^(\w{3} [ :0-9]{11}
I guess it should read
^(\w{3} [ :0-9]{11}
(additional line or modified line?)
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: logcheck 1.4.3
ProcVersionSign
Uname: Linux 6.8.0-11-generic x86_64
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckR
Date: Sun Mar 31 11:43:07 2024
PackageArchitec
ProcEnviron:
LANG=de_DE.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-
XDG_RUNTIME_
SourcePackage: logcheck
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
mtime.conffile.
Changed in logcheck (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: server-todo |
tags: | added: bitesize |
Changed in logcheck (Ubuntu): | |
assignee: | nobody → Robie Basak (racb) |
Thank you for reporting this bug and helping to make Ubuntu better.
As far as I can tell, the line you've provided should be matched by the following line, from /etc/logcheck/ ignore. d.paranoid/ cron:
^(\w{3} [ :0-9]{11} |[0-9T: .+-]{32} ) [._[:alnum:]-]+ CRON\[[0-9]+\]: pam_[[: alnum:] ]+\(cron: session\ ): session (opened|closed) for user [[:alnum: ]-]+(\( uid=[[: digit:] ]+\))?( by \(uid=[0-9]+\))?$
For my locale I used this as test log file input:
Apr 05 14:57:01 logcheck CRON[6191]: pam_unix( cron:session) : session opened for user root(uid=0) by (uid=0)
I created this by creating a cronjob to run every minute. After the log line appeared, I also tried "sudo -u logcheck logcheck -o -t" and the line was *not* reported (matching expected behaviour).
Additionally, logcheck-test output is as follows:
# logcheck-test -q -l ~/test.log -r /etc/logcheck/ ignore. d.paranoid/ cron && echo match cron:session) : session opened for user root(uid=0) by (uid=0)
Apr 05 14:57:01 logcheck CRON[6191]: pam_unix(
match
So it looks like that line is matching as expected.
logcheck(8) says:
> The ignore rules work in additive manner. "paranoid" rules are also included at level "server". "workstation" level includes both "paranoid" and "server" rules.
Therefore, if it matches paranoid rules, it should be sufficient for all settings. I see from your report that you have extensive logcheck configuration customisations. Is this interfering with this expectation somehow?
It might be that ignore. d.server/ logcheck could be improved with the newer PAM patterns, but to justify making a specific change in Ubuntu directly I need a specific failure case that I can reproduce please. Otherwise, code quality improvements should probably be sent as merge requests directly to https:/ /salsa. debian. org/debian/ logcheck instead.
Since I cannot reproduce the behaviour you're experiencing, I'm marking the bug as Incomplete for Ubuntu. If this turns out to be a local configuration issue, please set the status as Invalid. If you can provide steps to reproduce or have a correction to make to my analysis, please do that in a comment and then change the status back to New. Thanks!