On Mon, 5 Dec 2022, 09:29 Jose M Calhariz, <j...@calhariz.com> wrote:
> can someone do a minimal patch proposing a way to solve this issue? > Hi, Not a patch, but a recipe to patch every rule: for x in ignore.d.* violations.*; do sed -i -E 's,^\^((\\w|\[\[:alpha:\]\])\{3\} \[ :(0-9|\[:digit:\])\]\{11\}),^(\1|[0-9T:.+-]{32}),' $x/*; done I make it 183 files modified (I dont know if the "for" loop is really needed, but sed didnt want like than one glob on the line) This is replacing ^<old prefix> with ^(old prefix|new prefix) in every rulefile. The regex-special chars need escaping in the first bit of sed, but not the replacement. It is safe to run multiple times, but it does modify files, so take care. I have not done a lot of testing on this yet either. There are several variants of <old prefix> in the package: ^\w{3} [ :0-9]{11} is the most common (eg ignore.d.server/acpid) ^[[:alpha:]]{3} [ :[:digit:]]{11} is used in ignore.d.server/systemd ^\w{3} [ :[:digit:]]{11} is used in ignore.d.paranoid/bind i didnt check if anything used the fourth variant, ie '^[[:alpha:]]{3} [ :0-9]{11}' but that would also be caught by the expression too The sed expression preserves these variants, but it would be even better to replace the \1 with whichever variant is preferred. In the replacement, I we want the old prefix _first_ for future-proofing: rsyslog is being demoted in priority: it may still be pulled in as dependencies, more and more we will see systems without rsyslog installed at all - all the logging will be in the journal. So to remain useful, logcheck will need to enable checking of the systemd journal as well as /var/log/syslog. And the journal lines are extracted by logcheck in the "old" format. So I think we should do this change with that in mind. The NEWS.Debian needs an entry as users will need to make a similar change in their own rules - i assume no-one uses logcheck without hundreds of local modifications in /etc/logcheck. I can help write that, but I didnt find the time yet. I didnt do a proper patch yet - i could build one on top of the merge request submitted for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020827 - i think #1020827 is almost as important to fix as this bug. Richard