On 30/07/22 10:20, Andy Smith wrote:
Hello,
On Fri, Jul 29, 2022 at 04:30:19PM +1200, Richard Hector wrote:
My thought is to configure rsyslog to create extra logfiles, equivalent to
syslog and auth.log (the two files that logcheck monitors by default), which
only log messages at priority 'warning' or above, and configure logcheck to
monitor those instead. This should cut down the amount of filter maintenance
considerably.
Does this sound like a reasonable idea?
Personally I wouldn't (and don't) do it. It sounds like a bunch of
work only to end up with things that get logged anyway (as you
noted) plus the risk of missing other interesting things.
I started by enabling the extra logs on one system. I found I saw _more_
interesting things, because they weren't hidden by mountains of other
stuff. That's in the boot-time kernel messages, btw. I only got 14 lines
(total, not filtered by logcheck) when I was only showing warning or
higher, rather than the screeds I normally see. I never had time to go
through all those, even to read and understand them, let alone write
filters, and having to decide what was important, what not, and whether
the same messages with different values would be.
I think this will be useful to me, and the work isn't much because it's
the same for every system (or at least every system that runs logcheck),
which I can push out with ansible, where the filters have to be much
more system- (or service-)specific.
The full logs are of course still there if I need to go back and look
for something.
I don't find writing logcheck filters to be a particularly big time
sink. But if you do then it might alter the balance for you.
Thanks for your input :-)
Richard
