From 213f08b2d30b218b03ce88b8cbf94ccda01dbdcd Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Mon, 8 May 2017 07:52:27 -0700
Subject: [PATCH] ignore more sshd log messages

---
 NEWS                                    | 2 ++
 templates/ssh/etc/filter-syslog/ssh.erb | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 9353c41..dee869d 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,8 @@ release/005.007 (unreleased)
     the actual ssh service running on the server, so it is a very
     low-impact change. [adamhl]
 
+    [ssh] Ignore a couple more innocuous sshd log lines. [adamhl]
+
 release/005.006 (2017-02-16)
 
     [kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
diff --git a/templates/ssh/etc/filter-syslog/ssh.erb b/templates/ssh/etc/filter-syslog/ssh.erb
index ff03126..4eee2c7 100644
--- a/templates/ssh/etc/filter-syslog/ssh.erb
+++ b/templates/ssh/etc/filter-syslog/ssh.erb
@@ -63,7 +63,7 @@ sshd: /^Postponed \S+ for invalid user \S+ from (::ffff:)?171\.67\.22\.12 /
 sshd: /^Disconnecting: Too many authentication failures for \S+$/
 
 # Ignore failed logins by ACS and other AS and ITS staff.  We all mistype
-# passwords occasionally.
+# passwords occasionally. Also ignore successful Duo login.
 <%-
   # Create an "OR" of all the sunetids we can ignore.
   if (@filter_sunetids.length > 0) then
@@ -75,6 +75,8 @@ sshd: /^Disconnecting: Too many authentication failures for (<%= ignore_or_strin
 sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (<%= ignore_or_string %>) from [a-f:\d.]+ port \d+ ssh2$/
 sshd: /^PAM \d+ more authentication failures?; .* user=(<%= ignore_or_string %>)$/
 sshd: /^error: PAM: Authentication failure for (<%= ignore_or_string %>) from [a-z:\d.-]+$/
+sshd: /requirement "uid eq 0" not met by user "<%= ignore_or_string %>"/
+sshd: /Successful Duo login for '<%= ignore_or_string %>' from .*\.stanford.edu/
 <%-
   else
 -%>
-- 
GitLab