[SOLVED] Filter pam_rhosts_auth messages to prevent the logs filling up

goodgame · 03-08-2010, 10:24 AM

I have a batch job which logs in to the server every 10 minutes via windows rsh. The job checks to see is there are any files that need to be send via a EDI server to a supplier.

The following logwatch report is swamped with the login messages and would like to either suppress the logging in PAM? or suppress the entry in the logwatch report?

But I still want logging id the username is not username1.

--------------------- Connections (secure-log) Begin ------------------------
rshd[1754]: pam_rhosts_auth(rsh:auth): allowed to username1@10.0.0.1 as myedi

Does anyone know of a way round this?

Thanks in advance..

unSpawn · 03-08-2010, 03:01 PM

Quote:

Originally Posted by goodgame

I have a batch job which logs in to the server every 10 minutes via windows rsh. The job checks to see is there are any files that need to be send via a EDI server to a supplier.

By Jove! Shouldn't you use push instead of pull?..

Quote:

Originally Posted by goodgame

suppress the logging in PAM? or suppress the entry in the logwatch report? (..) still want logging id the username is not username1.

What you don't log you won't see. So don't try to suppress in logfiles. The daemon and service files Logwatch uses will have a line saying "# Ignore these entries", so just add your one-liner regex for the daemon/service+logline+username there.

goodgame · 03-09-2010, 03:25 AM

Quote:

Originally Posted by unSpawn

By Jove! Shouldn't you use push instead of pull?..

What you don't log you won't see. So don't try to suppress in logfiles. The daemon and service files Logwatch uses will have a line saying "# Ignore these entries", so just add your one-liner regex for the daemon/service+logline+username there.

I added a regex to the file /etc/logwatch/conf/ignore.conf. and now the report is great. I now see '3772 Ignored Lines'. Thank you for your help.