Markus Hedlund | 13 Apr 10:22 2012
Picon

Rule doesn't work even though it works with egrep

Hi,

I get these lines in my logcheck emails:

Apr 12 10:35:47 server sudo: www-data : TTY=unknown ;
PWD=/var/www/public_html ; USER=root ; COMMAND=/var/scripts/script.sh
123

Even though I have this in i.d.s/sudo:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: www-data : TTY=unknown ;
PWD=/var/www/public_html ; USER=root ; COMMAND=/var/scripts/script.sh
[0-9]+$

I've tested the sudo rules with "egrep -f sudo /var/log/auth.log" and
they seem to match. What am I missing?

Version: 1.3.13

Sincerely
Markus Hedlund

Gmane