ma, 2007-10-22 kello 18:08 -0500, Karl Schmidt kirjoitti: > I'm not sure if I'm allowed to put comments in the ignore files? > > If not, I suppose the documentation should say so. If so, the docs should > have an example of > how. > > If not - I would want to add this as a wishlist item - I think being able to > comment the > rues would be quite useful... > > Please cc me if responding..
I've wanted to do the same thing, and as far as I understand, it's not currently possible. In fact, I wanted to go one step further, and include test data for each rule. I maintain a private liw-logcheck-database package, which has additional rules tailored for my personal needs, and for that I wrote a little script to read a new kind of input file and write out the input files that logcheck actually wants. The new input file looks like this: # init(8) reports when it switches run levels. On a desktop machine, # having logcheck flag every shutdown or reboot is excessive, so we ignore # switches to run level 0. Level: workstation Log: Jul 26 04:58:03 agnes init: Switching to runlevel: 0 Match: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ init: Switching to runlevel: 0$ Level: workstation Log: Aug 31 12:31:36 agnes init: Trying to re-exec init Match: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ init: Trying to re-exec init$ I have another script that reads these new kind of files and verifies that all sample log messages (there can be any number of them per match rule) are actually matched by their rules. This is so that I can apply a bit of Test Driven Development to my rules database: whenever there is a new log message that should be ignored, I add first add it as a sample line, and then write or tweak the rule. If, for instance, the wording of init's messages above changes in a future version, I can just add the new wording, and make sure the rules match both the old and new messages. I wonder, would this be welcome to the main logcheck database, too? The scripts I have are run at build time, so no actual changes to logcheck itself would be needed (and, thus, no performance impact, either). -- Those who do, decide. _______________________________________________ Logcheck-devel mailing list Logcheck-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel