Not sure this will help you, but no-one else replied so: i have previously
looked at the logcheck code and i didnt see any way for there to be a bug
where a rule matches but have output be sent anyway - (the way the paranoid
level is implemented is less clear, but that does not apply here as far as
i can see): the relevent code in logcheck just uses grep and emails
anything not matched.
So this will be an issue in your rules somehow - although i dont see
anything wrong either.
Can you rule out a timing issue where the rule was added after the cron job
started, eg because the file was sitting unsaved in an editor? - logcheck
copies all the rules when it starts. i have done this myself many times.
The one small thing that jumped out to me is that the rule in question is
not terminated by a $ - Could there be some whitespace issues here?
(logcheck doesnt care what the rule looks like. but it does do some
pre-processing to remove trailing whitespace - i dont recall but i suspect
logcheck-test does not do that, and it definitely does not understand the
(bizarre) exclusions and counter exclusions of paranoid rules that logcheck
uses - i would not rely on logcheck-test).
the other thing is that the . are not escaped. (i dont see why that should
matter here)
i'd recommend copying the syslog file and testing the rule matches with grep
sorry for not being more helpful
On Sun, 4 Sep 2022, 16:32 James Graves, <dms.sysad...@deltamobile.com>
wrote:
> Package: logcheck
> Version: 1.3.23
> Severity: normal
>
> I received an email for some chatter from systemd:
>
> System Events
> =-=-=-=-=-=-=
> Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
>
> And indeed this line does exist in /var/log/syslog:
>
>
> However, this is already matched by a rule:
>
> # cd /etc/logcheck/ignore.d.server/
> # grep Cleanup local-systemd
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Starting
> Cleanup of Temporary Directories...$
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Started
> Cleanup of Temporary Directories.$
> ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished
> Cleanup of Temporary Directories.
>
> And the rule _does_ work:
>
> # logcheck-test -l /var/log/syslog -r local-systemd | grep Cleanup
> Aug 28 13:58:24 lxc2 systemd[1]: Starting Cleanup of Temporary
> Directories...
> Aug 28 13:58:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
> Aug 29 13:59:24 lxc2 systemd[1]: Starting Cleanup of Temporary
> Directories...
> Aug 29 13:59:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
> Aug 30 14:00:24 lxc2 systemd[1]: Starting Cleanup of Temporary
> Directories...
> Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
>
> So the rule to ignore the 'Finished' line on August 30th, 14:00:24 does
> work,
> and yet the email was sent anyway.
>
> This is not the only occurence, I've also seen the same thing with the line
> "Starting Daily man-db regeneration..." from systemd on the same system.
> But in
> general, the hundreds of other rules I've created work fine.
>
> I haven't altered how logcheck is run via cron or changed the
> configuration files
> from the default installed by Debian.
>
> Thanks for looking at this!
>
>
> -- System Information:
> Debian Release: 11.4
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-17-amd64 (SMP w/4 CPU threads)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
> not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages logcheck depends on:
> ii adduser 3.118
> ii cron [cron-daemon] 3.0pl1-137
> ii lockfile-progs 0.1.18
> ii logtail 1.3.23
> ii mime-construct 1.11+nmu3
> ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1
> ii ssmtp [mail-transport-agent] 2.64-10
>
> Versions of packages logcheck recommends:
> ii logcheck-database 1.3.23
>
> Versions of packages logcheck suggests:
> pn syslog-summary <none>
>
> -- no debconf information
>
> --
>
>
> This
> transmission contains information from Delta Mobile Systems, Inc.,
> that
> may be confidential and/or privileged. The information is intended
> for
> the exclusive use of the planned recipient. If you are not the
> intended recipient, be advised that any disclosure, copying,
> distribution
> or other use of this information is strictly
> prohibited. If you have
> received this transmission in error, please
> notify the sender immediately
> and delete this communication and any
> attachments without making any
> copies thereof.
>
>
