On Wed, 22 Feb 2023, 17:51 Helge Kreutzmann, <deb...@helgefjell.de> wrote:
> Package: logcheck > Version: 1.4.1 > Severity: grave > Justification: renders package unusable > > The change for #1025719 broke logcheck massively. > > I've extensivly tuned logcheck files which nicely filter out lots of > messages (see statistics at the end). > > Now I see them all again (only those comming from the journal). > > I don't see any information what I should do for migration. > sorry about that. i agree there is a bug in the documentation - we should add a NEWS.Debian entry - my fault i simply forgot. But this is hardly a grave bug. It is trivial to disable checking of the journal. just edit /etc/logcheck/logcheck.logfiles.d/journal.logfiles and add a # before the word "journal". this will take effect on the next run of logcheck. This is also documented in that file --- as a heavy logcheck user i would recommend reading new config files when installing a new version. (We dont plan more changes for bookworm but in the longer-term there could be some changes to make logcheck more efficient) HOWEVER, you might want to consider adjusting to this in the long-term - if your log messages are different in the journal and syslog then not checking the journal means you are by definition not being informed of things. That would rather seem to defeat the point of monitoring the log messges. But it is of course up to you. But given debian has demoted syslog logcheck does need to "move with the times" and support systemd by default - we will not force anyone to adapt, but we cant predict what settings work for you. Let's use a trivial example. The following harmless message is emitted > by courier to the journal: > Feb 22 16:37:40 meinfjell courierd[401638]: Installing uucp > > In syslog this is: > syslog:2023-02-22T14:37:40.491690+00:00 meinfjell courierd: Installing uucp > > I have the following in > /etc/logcheck/ignore.d.server: > meinfjell courierd: Initializing uucp Is this a typo? this rule is not going to filter that message regardless of whether it is in the journal or syslog. one says initiailizing one says installing.... (Maybe courier changed its logging? ) I also note you have the "new" timestamp format for syslog- that's an rsyslog change and nothing to do with logcheck. I believe you can revert that change quite easily as well. As you can see, the message from the journal is slightly different > than from syslog, breaking tons of rules. > that sounds like a bug in courier. As above you can choose to only check one source of messages. Most programs put the same messages in both in my experience. > For statistics: > On my local system, I have 11396 lines of rules, on my server system > currently 2721 (I'm in the processing of setting this up, so this will > grow). > wow! but yes, logcheck-databse does need a lot of manual tuning to be useful. (I am surprised it copes with thay many lines tbh!) sorry again for the inconvenience.