Re: best log checker

Wed, 31 Jan 2007 19:00:40 -0800 

Douglas Allan Tutty <[EMAIL PROTECTED]>:
>  I'm trying to find a good log checker.
> 
>  Basically, I want it to report anything that I don't tell it to ignore.

Well, there's always a shell script that looks for date --yesterday
(nonportable), then grep -v 'string1|string2|...'  Don't laugh.  It's
what I used before logcheck.

>  I've tried logcheck first and when I couldn't get it to do what I want I
>  tried logwatch.  It has an ignore file that it says to just cut and

It does?  Mine (sarge/stable) has ignore directories:

drwxr-s---    2 root logcheck 1024 Oct 23 20:37 ignore.d.paranoid/
drwxr-s---    2 root logcheck 2048 Aug 12 19:57 ignore.d.server/
drwxr-s---    2 root logcheck 1024 Aug 12 19:57 ignore.d.workstation/

and the one it uses is defined in logcheck.conf.  I was getting really
annoyed at seeing dumb stuff about gconfd, then I noticed I was using
"server" instead of "workstation".  The ignore.d.workstation includes
a file "gconf", which lists exactly the junk I don't care about.  Doh.

Of course, a server shouldn't be running insecure stuff like X.

>  paste what you want to ignore.  I do that and it doesn't ignore it.
>  Some docs mention that its all based on regular expressions so I tried
>  enclosing the lines in quotes to no avial.

Here's a typical useless message (for me):

  Oct  9 16:54:42 heretic gconfd (keeling-4010): Resolved address
       "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
       configuration source at
       position 0

Here's an entry from gconf:

  ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd 
       \([._[:alnum:]-]+-[0-9]+\): Resolved address "[^[:space:]]+"
       to a read-only configuration source at position [^[:space:]]+$

That says:

   - at the start of the line ("^")

   - three non-whitespace chars ("Oct")

   - a space

   - the set of space, colon, zero through nine (eleven chars total),
     then a space, then the set of period, underscore, alpha-numeric,
     or dash/hyphen (more than zero of them "+")

   - a space

   - the string "gconfd"

   - ...

>  I _like_ most of what logwatch does, like telling me how many times a
>  login happened, especially failed ones.  I just don't like to have to
>  pour through all the bootup lines every day.

Don't shutdown?  Yeah, I know.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)    http://www.spots.ab.ca/~keeling          Linux Counter #80292
- -    http://www.faqs.org/rfcs/rfc1855.html    Please, don't Cc: me.
       Spammers! http://www.spots.ab.ca/~keeling/emails.html


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to