diff --git a/NEWS b/NEWS
index 3fd032797e865f46a76c2939945cab8fdd3ea31a..a6e3ef84d9c56137eda2c61698fd507c4d0d6c93 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ release/002.000 (unreleased)
Move campus anycast DNS servers to the bottom of the DNS server list
for now. These are not yet considered production DNS servers.
+ Remove Kerberos filter-syslog rules for eklogind and kshd.
+
release/001.002 (2013-07-10)
newsyslog::config now supports a new analyze_logs parameter, which
diff --git a/files/kerberos/etc/filter-syslog/kerberos b/files/kerberos/etc/filter-syslog/kerberos
index e47525606d3e26eba061f4c460b0c2a3d01536c2..0cf340a3655709c99e51994f7193b4a0d2225b05 100644
--- a/files/kerberos/etc/filter-syslog/kerberos
+++ b/files/kerberos/etc/filter-syslog/kerberos
@@ -1,59 +1,13 @@
-# /etc/filter-syslog/kerberos -- Kerberos daemon syslog filter rules.
-
-klogind: /^Authentication.*failed.*Software caused connection abort/
-klogind: /^Error reading message/
-klogind: /^Kerberos( 5)? authentication failed/
-klogind: /^ROOT login by \S+/root@stanford\.edu/
-klogind: /^connect from (171\.6[4567]\.|\S+\.(?i)stanford\.edu\Z)/
-klogind: /^connect from 172\.2[4567]\./
-klogind: /^connect from ::ffff:171\.6[4567]\./
-
-kshd: /^Executing .* for principal \S+/root@stanford.edu /
-kshd: /^Executing .* for principal host/\S+@stanford.edu /
-kshd: /^Executing .* for principal service/\S+@stanford.edu /
-kshd: /^Executing .* for principal webauth/\S+@stanford.edu /
-kshd: /^Principal .* for local user root failed krb5_kuserok/
-kshd: /^Shell process completed\.$/
-kshd: /^connect from (171\.6[4567]\.|\S+\.(?i)stanford\.edu\Z)/
-kshd: /^connect from 172\.2[4567]\./
-kshd: /^connect from ::ffff:171\.6[4567]\./
-kshd: /^kshd: .* failed: Software caused connection abort/
-kshd: /^kshd: Permission denied\./
-kshd: /^pam_unix\(ekshell:session\): session (opened|closed) /
-kshd: /^read: Connection reset by peer$/
-
-login: /^\S+ connecting securely from /
-login: /^ROOT LOGIN pts/\d+/
-login: /^pam_unix\(remote:session\): session (opened|closed) /
-
-ksu: /^\S+ to root on /dev/pts/\d+$/
-ksu: /^'ksu root' authenticated \S+/root@stanford\.edu /
-ksu: /^Account root: authorization for \S+ successful$/
-ksu: /^Account root: authorization for \S+ for execution of \S+ successful$/
-ksu: /^pam_unix\(ksu:session\): session (opened|closed) for user root/
-
-xinetd: /^START: eklogin pid=\d+ from=[a-f:\d.]+$/
-xinetd: /^START: kshell pid=\d+ from=[a-f:\d.]+$/
-xinetd: /^EXIT: eklogin( status=\d+)? pid=\d+ duration=\d+\((sec|min)\)$/
-xinetd: /^EXIT: kshell status=\d+ pid=\d+ duration=\d+\((sec|min)\)$/
-
-# Messages generated by the PAM support on Red Hat.
-ekshell(pam_unix): /^session (opened|closed) for user/
-remote(pam_unix): /^session (opened|closed) for user/
-
-# Ignore noise generated by port scans.
-klogind: /^Can't get peer name of remote host/
-klogind: /^get peer name failed 0/
-kshd: /^connect second port: Connection (refused|timed out)$/
-
-# Ignore noise from refused connections due to hosts.allow configuration.
-klogind: /^refused connect from /
-kshd: /^refused connect from /
-xinetd: /^libwrap refused connection to (eklogin|kshell) /
-
-# Sometimes long tripwire updates truncate the kshd log line.
-kshd: /^Executing -x cd /root/tmp && /afs/ir/site/leland/tripwire.*/
-
-# Ignore failed ksu from members of the UNIX team. We all periodically
-# mistype our password.
+# Kerberos syslog filter rules. -*- conf -*-
+#
+# All this currently contains is the filter rules for ksu.
+
+ksu: /^\S+ to root on /dev/pts/\d+$/
+ksu: /^'ksu root' authenticated \S+/(root|admin)@stanford\.edu /
+ksu: /^Account root: authorization for \S+ successful$/
+ksu: /^Account root: authorization for \S+ for execution of \S+ successful$/
+ksu: /^pam_unix\(ksu:session\): session (opened|closed) for user root/
+
+# Ignore failed ksu from systems administrators. We all periodically mistype
+# our password.
ksu: /^'ksu root' authentication failed for (darrenp1|digant|hallk|meeilee|pradtke|rra|sfeng|whm|vdc|yuelu) on /dev/pts/\d+$/