Testing logcheck rules

su -s /bin/bash -c "/usr/sbin/logcheck -dot " logcheck 2>&1 | less

-d .. debug-mode?BR -o .. print to stdout?BR -t .. do not update offset in logfiles, this one is important.

Creating logcheck rules

You don't want to see some message you consider harmless:

  • For /Security Events/ edit /etc/logcheck/violations.ignore.d/package
  • For /System Events/ edit /etc/logcheck/ignore.d.server/package You don't want to see some message which is not harmless but meanwhile annoying:

  • think thrice before muting it - you will never remember after!

  • but it into /etc/logcheck/ignore.d.server/local or /etc/logcheck/violations.ignore.d/local
  • set up a weekly or monthly cronjob to move this file to backup
  • regret and don't do it: better fix the problem


Use ?RegExplorer. Paste offending line of the logcheck mail into the text box (left side). Write your regular expression in the textbox on the top.

When the box in the center repeats the string all in yellow, you are done. paste the regular expression in /etc/logcheck/ignore.d.???/???.

Standard patterns

\w{3} [ :[:digit:]]{11}           syslog timestamp
[._[:alnum:]-]+                   hostname, simple or fqdn
?:digit:{2,5}                  pid
[.[:digit:]]{7,15}                IP-number

?CategorySysadmin ?LangEn