Ignore su with ':' as delimiter.

2 files changed, 3 insertions, 0 deletions

diff --git a/logcheck/violations.ignore.d/local b/logcheck/violations.ignore.d/local
index 4c5957a..463d983 100644
--- a/logcheck/violations.ignore.d/local
+++ b/logcheck/violations.ignore.d/local
@@ -71,6 +71,8 @@ smbd\[[0-9]+\]:   write_socket_data: write failure\. Error = Connection reset by
 ### violations.ignore.d/ssh
 sshd\[[0-9]+\]: Failed keyboard-interactive for [^[:space:]]+ from [\.0-9]+ port [0-9]+ ssh2$
 ssh\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=[^[:space:]]+  user=[^[:space:]]+$
+### violations.ignore.d/su
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[[:alnum:]-]+ ?$
 ### violations.ignore.d/temp
 (imap|netatalk|pop|samba)\(pam_unix\)\[[0-9]+\]: authentication failure; logname= uid=0 euid=0 tty=[^[:space:]]* ruser= rhost=[^[:space:]]*  user=[[:alnum:]]+$
 afpd\[[0-9]+\]: afp_flushfork: of_find: Permission denied
diff --git a/logcheck/violations.ignore.d/su b/logcheck/violations.ignore.d/su
new file mode 100644
index 0000000..3bf3525
--- /dev/null
+++ b/logcheck/violations.ignore.d/su
@@ -0,0 +1 @@
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root:[[:alnum:]-]+ ?$