Bug#1031786: logcheck: Filtering not working with entries from journald
Hello Richard, On Thu, Feb 23, 2023 at 12:14:08AM +, Richard Lewis wrote: > On Wed, 22 Feb 2023, 17:51 Helge Kreutzmann, wrote: > > > Package: logcheck > > Version: 1.4.1 > > Severity: grave > > Justification: renders package unusable > > > > The change for #1025719 broke logcheck massively. > > > > I've extensivly tuned logcheck files which nicely filter out lots of > > messages (see statistics at the end). > > > > Now I see them all again (only those comming from the journal). > > > > I don't see any information what I should do for migration. > > > > sorry about that. > > i agree there is a bug in the documentation - we should add a NEWS.Debian > entry - my fault i simply forgot. But this is hardly a grave bug. A NEWS.Debian is definitely needed. > It is trivial to disable checking of the journal. just edit > > /etc/logcheck/logcheck.logfiles.d/journal.logfiles > > and add a # before the word "journal". This I was not aware of. Since the time format for syslog and journal differ, I added the following local rule: root@twentytwo:/etc/logcheck/ignore.d.server# cat lr_journal_out ^Jan ^Feb … > this will take effect on the next run of logcheck. This is also documented > in that file --- as a heavy logcheck user i would recommend reading new > config files when installing a new version. (We dont plan more changes for > bookworm but in the longer-term there could be some changes to make > logcheck more efficient) So far, new config files changed little, and I usually read them after they are in operation for a few days. But in the end, many are so outdated, I hardley rely on them anymore. For many programs I'm informed about the changed config during upgrades, for "journal.logfiles" I did not have a chance to review it - probably I did not modify this in the past. If I would have been shown the file, I probably would have seen this entry. However, I did check the files in /usr/share/doc/logcheck after installing, but I did not find any information relevant to this there. > HOWEVER, you might want to consider adjusting to this in the long-term - > if your log messages are different in the journal and syslog then not > checking the journal means you are by definition not being informed of > things. That would rather seem to defeat the point of monitoring the log > messges. But it is of course up to you. This is the best course of action. But this should be a controlled situation. If I imagine running a dist-upgrade from bullseye lots of programs need adjustments - having huge log files during logcheck does not help at all. (And in a larger setup, this might be unfeasible to do on the spot). So if you add the NEWs entry, pointing people how to (temporarily) disable journal logging, this would be a very good step, something like: Note that logcheck by default now also checks the systemd journal. If you have local rules, this might cause lots of extra (unwanted) lines to be shown if the patterns do not match. This logging can be controlled by the setting "journal" in /etc/logcheck/logcheck.logfiles.d/journal.logfiles > But given debian has demoted syslog logcheck does need to "move with the > times" and support systemd by default - we will not force anyone to adapt, > but we cant predict what settings work for you. I do see your rationale. > > by courier to the journal: > > Feb 22 16:37:40 meinfjell courierd[401638]: Installing uucp > > > > In syslog this is: > > syslog:2023-02-22T14:37:40.491690+00:00 meinfjell courierd: Installing uucp > > > > I have the following in > > /etc/logcheck/ignore.d.server: > > meinfjell courierd: Initializing uucp > > > Is this a typo? > > this rule is not going to filter that message regardless of whether it is > in the journal or syslog. one says initiailizing one says installing > (Maybe courier changed its logging? ) No, the second one I manually picked and I was too fast, sorry. > I also note you have the "new" timestamp format for syslog- that's an > rsyslog change and nothing to do with logcheck. I believe you can revert > that change quite easily as well. This one caught me by suprise a few months back and caused me to adapt my rules in a hurry back then - nothing I would like to repeat. > As you can see, the message from the journal is slightly different > > than from syslog, breaking tons of rules. > > > > > that sounds like a bug in courier. As above you can choose to only check > one source of messages. Most programs put the same messages in both in my > experience. Courier is just one example, there are more. But given we are working on a solution to this bug, I don't think we need to analyze other programs logs. And yes, as I understand it all logging first goes to the journal and next to syslog, thus they are doubled. > > For statistics: > > On my local system, I have 11396 lines of rules, on my server system > > currently 2721 (I'm in the processing of setting this up, so this will > > grow). > > > > wow! but yes,
Bug#1031786: logcheck: Filtering not working with entries from journald
Control: severity -1 normal You can disable the checking of the systemd journal: > $ sudo cat /etc/logcheck/logcheck.logfiles.d/journal.logfiles > ## The word 'journal' tells logcheck to check log entries in the > ## systemd journal > > # (This is enabled by default, but if you do not want to check entries > # in the journal you can comment out the next line) > journal I did have to update some of my local rules to account for the format of the journal entries, but it wasn't too hard. From your example, something like this should work for both: > meinfjell courierd(\[[[:digit:]]+\])?: Installing uucp Mathias signature.asc Description: This is a digitally signed message part
Bug#1031786: logcheck: Filtering not working with entries from journald
On Wed, 22 Feb 2023, 17:51 Helge Kreutzmann, wrote: > Package: logcheck > Version: 1.4.1 > Severity: grave > Justification: renders package unusable > > The change for #1025719 broke logcheck massively. > > I've extensivly tuned logcheck files which nicely filter out lots of > messages (see statistics at the end). > > Now I see them all again (only those comming from the journal). > > I don't see any information what I should do for migration. > sorry about that. i agree there is a bug in the documentation - we should add a NEWS.Debian entry - my fault i simply forgot. But this is hardly a grave bug. It is trivial to disable checking of the journal. just edit /etc/logcheck/logcheck.logfiles.d/journal.logfiles and add a # before the word "journal". this will take effect on the next run of logcheck. This is also documented in that file --- as a heavy logcheck user i would recommend reading new config files when installing a new version. (We dont plan more changes for bookworm but in the longer-term there could be some changes to make logcheck more efficient) HOWEVER, you might want to consider adjusting to this in the long-term - if your log messages are different in the journal and syslog then not checking the journal means you are by definition not being informed of things. That would rather seem to defeat the point of monitoring the log messges. But it is of course up to you. But given debian has demoted syslog logcheck does need to "move with the times" and support systemd by default - we will not force anyone to adapt, but we cant predict what settings work for you. Let's use a trivial example. The following harmless message is emitted > by courier to the journal: > Feb 22 16:37:40 meinfjell courierd[401638]: Installing uucp > > In syslog this is: > syslog:2023-02-22T14:37:40.491690+00:00 meinfjell courierd: Installing uucp > > I have the following in > /etc/logcheck/ignore.d.server: > meinfjell courierd: Initializing uucp Is this a typo? this rule is not going to filter that message regardless of whether it is in the journal or syslog. one says initiailizing one says installing (Maybe courier changed its logging? ) I also note you have the "new" timestamp format for syslog- that's an rsyslog change and nothing to do with logcheck. I believe you can revert that change quite easily as well. As you can see, the message from the journal is slightly different > than from syslog, breaking tons of rules. > that sounds like a bug in courier. As above you can choose to only check one source of messages. Most programs put the same messages in both in my experience. > For statistics: > On my local system, I have 11396 lines of rules, on my server system > currently 2721 (I'm in the processing of setting this up, so this will > grow). > wow! but yes, logcheck-databse does need a lot of manual tuning to be useful. (I am surprised it copes with thay many lines tbh!) sorry again for the inconvenience.
Bug#1031786: logcheck: Filtering not working with entries from journald
Package: logcheck Version: 1.4.1 Severity: grave Justification: renders package unusable The change for #1025719 broke logcheck massively. I've extensivly tuned logcheck files which nicely filter out lots of messages (see statistics at the end). Now I see them all again (only those comming from the journal). I don't see any information what I should do for migration. Let's use a trivial example. The following harmless message is emitted by courier to the journal: Feb 22 16:37:40 meinfjell courierd[401638]: Installing uucp In syslog this is: syslog:2023-02-22T14:37:40.491690+00:00 meinfjell courierd: Installing uucp I have the following in /etc/logcheck/ignore.d.server: meinfjell courierd: Initializing uucp As you can see, the message from the journal is slightly different than from syslog, breaking tons of rules. If such a feature is introduced, it should definitely have a switch so that admins can decide when to change (requires adapting many rules). Filtering both looks very impractical. For statistics: On my local system, I have 11396 lines of rules, on my server system currently 2721 (I'm in the processing of setting this up, so this will grow). -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.9 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages logcheck depends on: ii adduser3.131 ii cron [cron-daemon] 3.0pl1-156 ii exim4-daemon-light [mail-transport-agent] 4.96-14 ii lockfile-progs 0.1.19 ii logtail1.4.1 ii mime-construct 1.12+really1.11-1 Versions of packages logcheck recommends: ii logcheck-database 1.4.1 Versions of packages logcheck suggests: ii rsyslog [system-log-daemon] 8.2212.0-1 -- Configuration Files: /etc/logcheck/header.txt [Errno 13] Keine Berechtigung: '/etc/logcheck/header.txt' /etc/logcheck/logcheck.conf [Errno 13] Keine Berechtigung: '/etc/logcheck/logcheck.conf' /etc/logcheck/logcheck.logfiles [Errno 13] Keine Berechtigung: '/etc/logcheck/logcheck.logfiles' /etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Keine Berechtigung: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles' /etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Keine Berechtigung: '/etc/logcheck/logcheck.logfiles.d/syslog.logfiles' -- no debconf information -- Dr. Helge Kreutzmann deb...@helgefjell.de Dipl.-Phys. http://www.helgefjell.de/debian.php 64bit GNU powered gpg signed mail preferred Help keep free software "libre": http://www.ffii.de/ signature.asc Description: PGP signature