This file is indexed.

/etc/logcheck/violations.d/su is in logcheck-database 1.3.18.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

1
2
3
4
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ pts/[0-9]+ [[:alnum:]]+[-:]root$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \+ \?\?\? root[-:][[:alnum:]]+$