On Mon, 5 Dec 2022, 09:29 Jose M Calhariz, <j...@calhariz.com> wrote:
> can someone do a minimal patch proposing a way to solve this issue?
>
Hi, Not a patch, but a recipe to patch every rule:
for x in ignore.d.* violations.*; do sed -i -E
's,^\^((\\w|\[\[:alpha:\]\])\{3\} \[
:(0-9|\[:digit:\])\]\{11\}),^(\1|[0-9T:.+-]{32}),' $x/*; done
I make it 183 files modified (I dont know if the "for" loop is really
needed, but sed didnt want like than one glob on the line)
This is replacing ^<old prefix> with ^(old prefix|new prefix) in every
rulefile. The regex-special chars need escaping in the first bit of sed,
but not the replacement. It is safe to run multiple times, but it does
modify files, so take care. I have not done a lot of testing on this yet
either.
There are several variants of <old prefix> in the package:
^\w{3} [ :0-9]{11} is the most common (eg ignore.d.server/acpid)
^[[:alpha:]]{3} [ :[:digit:]]{11} is used in ignore.d.server/systemd
^\w{3} [ :[:digit:]]{11} is used in ignore.d.paranoid/bind
i didnt check if anything used the fourth variant, ie '^[[:alpha:]]{3} [
:0-9]{11}' but that would also be caught by the expression too
The sed expression preserves these variants, but it would be even better to
replace the \1 with whichever variant is preferred.
In the replacement, I we want the old prefix _first_ for future-proofing:
rsyslog is being demoted in priority: it may still be pulled in as
dependencies, more and more we will see systems without rsyslog installed
at all - all the logging will be in the journal. So to remain useful,
logcheck will need to enable checking of the systemd journal as well as
/var/log/syslog. And the journal lines are extracted by logcheck in the
"old" format. So I think we should do this change with that in mind.
The NEWS.Debian needs an entry as users will need to make a similar change
in their own rules - i assume no-one uses logcheck without hundreds of
local modifications in /etc/logcheck. I can help write that, but I didnt
find the time yet.
I didnt do a proper patch yet - i could build one on top of the merge
request submitted for
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020827 - i think
#1020827 is almost as important to fix as this bug.
Richard
