The default tenshi.conf contains entries like: report ^sshd: Accepted rsa for (.+) from (.+) port (.+) root ^sshd\(pam_unix\): session opened for user root by root\(uid=0\) root ^sshd\(pam_unix\): session opened for user root by \(uid=0\) But sshd log entries have the PID in brackets before the colon. I had to modify the regexes as follows to get tenshi to pick them up: report ^sshd\[\d+\]: Accepted rsa for (.+) from (.+) port (.+) root ^sshd\(pam_unix\)\[\d+\]: session opened for user root by root\(uid=0\) root ^sshd\(pam_unix\)\[\d+\]: session opened for user root by \(uid=0\) Default regexes for other types of entries may have the same problem. I haven't looked too much into it yet, as I've only been using tenshi for ~10 minutes.
Maybe you should have started those 10 minutes by reading the man page? ;) Please see: set hidepid This is turned on in the default configuration file, alongside the default regex examples which rely on that behaviour.
Marking as INVALID.