LF_SU_EMAIL_ALERT = "1" not working

[bulgin]

I'm having an issue with:

LF_SU_EMAIL_ALERT = "1"

I usually login as a normal user via ssh on a non-standard port then su to root sometimes, but I only get the alert for the initial normal user login and not the switch to root. Is that normal behavoir?

I have this in csf.conf:
LF_SU_EMAIL_ALERT = "1"

SSHD_LOG = "/var/log/auth.log"
SU_LOG = "/var/log/auth.log"

ssh logins are reported but not su_log, even though I see the following in the auth.log:

May 7 14:33:41 mydomain su[13078]: Successful su for root by a_user_name

[globalnethoster]

i am getting the alert for the SU with the SU template. but i am NOT getting the SSH login at all. EXCEPT! when i do get the SU alert, i then get 2 notices and both with the SU template. i am tshooting this right now but i've not been throo the csf code.

[globalnethoster]

got a clue here
email was tripping up when 2+ comma del'd
look at csf.pl - line 1829 (domail sub) that an unclosed bracket '<' there?
i'm a php guy new to pl (i could kick myself) and dont know whether to remove that left bracket or add one at the end of 'hostname' (...hostname>")
anyway there is an errant formation in the 2nd email
and i'm not getting the ssh login.

[bulgin]

I don't see that at line 1829 in my csf.pl

[globalnethoster]

hmm... i removed the '<' in mine, going to run some tests this week, will get back.

[chirpy]

May 7 14:33:41 mydomain su[13078]: Successful su for root by a_user_name

It's picking them up because that line isn't matched by the regular expressions in regex.pm

What OS and version are you running?

[lewstherin]

I have the same issue with Debian 5 x64, my auth.log looks the same.

[chirpy]

I'll add it to the dev list for Debian.