cron login events still logging
/etc/clearos/events.d/20-user-auth.conf line 29 needs to be changed to
<pattern>pam_unix\(sudo:session\): session opened for user root by \(uid\=0\)</pattern>
or perhaps the section:
<alert type="EXCLUDED" level="NORM" source="syslog" exclude="true">
<locale lang="en">
<text>Excluded PAM session</text>
<pattern>pam_unix\(sudo:session\): session opened for user root by \(uid=0\)</pattern>
</locale>
</alert>
<alert type="EXCLUDED" level="NORM" source="syslog" exclude="true">
<locale lang="en">
<text>Excluded PAM session</text>
<pattern>pam_unix\(sudo:session\): session closed for user root</pattern>
</locale>
</alert>
can be simplified to something like:
<alert type="EXCLUDED" level="NORM" source="syslog" exclude="true">
<locale lang="en">
<text>Excluded PAM session</text>
<pattern>pam_unix\(sudo:session\): session (open|clos)ed for user root</pattern>
</locale>
</alert>
..... testing