^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
# new pam format
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
^[-:T.+0-9]+ [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
^[-:T.+0-9]+ [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session opened for user [.[:alnum:]-]+ by \(uid=0\)$
^[-:T.+0-9]+ [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session opened for user [.[:alnum:]-]+ by \(uid=0\)$
^[-:T.+0-9]+ [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session closed for user [.[:alnum:]-]+$
^[-:T.+0-9]+ [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session closed for user [.[:alnum:]-]+$
^[-:T.+0-9]+ [._[:alnum:]-]+ identd\[[0-9]+\]: started$
^[-:T.+0-9]+ [._[:alnum:]-]+ identd\[[0-9]+\]: started$
^[-:T.+0-9]+ [._[:alnum:]-]+ chfn\[[0-9]+\]: changed user `logcheck' information$
^[-:T.+0-9]+ [._[:alnum:]-]+ chfn\[[0-9]+\]: changed user `logcheck' information$
^[-:T.+0-9]+ [._[:alnum:]-]+ usermod\[[0-9]+\]: changed user `logcheck' home from '[^']+ to '/var/lib/logcheck'$
^[-:T.+0-9]+ [._[:alnum:]-]+ usermod\[[0-9]+\]: changed user `logcheck' home from '[^']+ to '/var/lib/logcheck'$
