On Thu, 20 Jul 2023 12:15:25 +0200 Thomas Parmelan
<tom+deb...@ankh.fr.eu.org> wrote:
Some interesting ideas in here - i think i am missing something though:
> The systemd journal is checked by default, in addition to rsyslog files,
> starting with logcheck version 1.4.1. But the format of timestamps are
> different by default for journal (uses the old-school format: "Jul 20
> 11:51:03") and rsyslog >= 8.2210.0-3 (uses an RFC3339-compatible format:
> "2023-07-20T11:51:03.046581+0200"). So logcheck cannot compare them
> correctly.
I understand until the word "compare" here - are you saying that rules
don't match entries from rsyslog or from systemd? because both seem to
be matched fine for me!
> Also, journalctl can emit multi-line logs, whereas rsyslog cannot.
>
> The attached patch adds a new ISO_TIMESTAMPS config variable to the logcheck
> script, allowing logcheck to:
> - call journalctl with "-o short-iso-precise" in order to get a
> nearly-RFC3339-compatible timestamp
> - add the missing ':' between the timezone hours and minutes to convert the
> journalctl shot-iso-precise timestamp to the exact RFC3339 timestamp
> format used by rsyslog
I think my question above is related to this bullet: a typical prefix
in the logcheck-database of rules is
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32})
which should match both rules without needing to change the format,
and includes a : wherever it occurs.... have we got something wrong in
this, and if so, what?
> - join continuous lines (lines starting with whitespace) from
> journalctl output, as rsyslog only logs them as one line
this part i understand (although i didnt check the sed logic closely)
and agree it would be worth doing: is it definitely correct that a
blank line is always a continuation line like this?
> - handle SORTUNIQ correctly even when using ISO_TIMESTAMPS
i didnt understand this bit of the patch (copied below):- it seems to
have a lot of repetition, and introduce a call to 'uniq', but only
sometimes:
(i also wonder why anything is better than just 'sort -u' regardless
of timestamp format): can you explain what the issue is that is being
solved?
-if [ "$SORTUNIQ" -eq 1 ];then
- SORT="sort -u"
-else
- SORT="sort -k 1,3 -s"
-fi
- $SORT "$TMPDIR/logoutput"/* | sed -e 's/[[:space:]]\+$//' >
"$TMPDIR/logoutput-sorted" \
+# Use "sort -u" or "sort ... | uniq"
+if [ "$SORTUNIQ" -eq 1 ];then
+ SORT_OPTS="-u"
+ sort $SORT_OPTS "$TMPDIR/logoutput"/* | sed -e 's/[[:space:]]\+$//'
> "$TMPDIR/logoutput-sorted" \
+ || error "Could not save sorted log content to
$TMPDIR/logoutput-sorted"
+else
+ if [ "$ISO_TIMESTAMPS" -eq 1 ]; then
+ SORT_OPTS="-k 1 -s"
+ else
+ SORT_OPTS="-k 1,3 -s"
+ fi
+ sort $SORT_OPTS "$TMPDIR/logoutput"/* | sed -e 's/[[:space:]]\+$//'
| uniq > "$TMPDIR/logoutput-sorted" \
|| error "Could not save sorted log content to
$TMPDIR/logoutput-sorted"
+fi
