^TipsAnd...
Testing logcheck rules
su -s /bin/bash -c "/usr/sbin/logcheck -dot " logcheck 2>&1 | less
-d
.. debug-mode?BR -o
.. print to stdout?BR -t
.. do not update offset in logfiles, this one is important.
Creating logcheck rules
You don't want to see some message you consider harmless:
- For /Security Events/ edit
/etc/logcheck/violations.ignore.d/
package For /System Events/ edit
/etc/logcheck/ignore.d.server/
package You don't want to see some message which is not harmless but meanwhile annoying:think thrice before muting it - you will never remember after!
- but it into
/etc/logcheck/ignore.d.server/local
or/etc/logcheck/violations.ignore.d/local
- set up a weekly or monthly cronjob to move this file to backup
- regret and don't do it: better fix the problem
Regexplorer
Use ?RegExplorer. Paste offending line of the logcheck mail into the text box (left side). Write your regular expression in the textbox on the top.
When the box in the center repeats the string all in yellow, you are done. paste the regular expression in /etc/logcheck/ignore.d.???/???
.
Standard patterns
\w{3} [ :[:digit:]]{11} syslog timestamp
[._[:alnum:]-]+ hostname, simple or fqdn
?:digit:{2,5} pid
[.[:digit:]]{7,15} IP-number