Re: Thoughts on logcheck?
On 30/07/22 10:20, Andy Smith wrote: Hello, On Fri, Jul 29, 2022 at 04:30:19PM +1200, Richard Hector wrote: My thought is to configure rsyslog to create extra logfiles, equivalent to syslog and auth.log (the two files that logcheck monitors by default), which only log messages at priority 'warning' or above, and configure logcheck to monitor those instead. This should cut down the amount of filter maintenance considerably. Does this sound like a reasonable idea? Personally I wouldn't (and don't) do it. It sounds like a bunch of work only to end up with things that get logged anyway (as you noted) plus the risk of missing other interesting things. I started by enabling the extra logs on one system. I found I saw _more_ interesting things, because they weren't hidden by mountains of other stuff. That's in the boot-time kernel messages, btw. I only got 14 lines (total, not filtered by logcheck) when I was only showing warning or higher, rather than the screeds I normally see. I never had time to go through all those, even to read and understand them, let alone write filters, and having to decide what was important, what not, and whether the same messages with different values would be. I think this will be useful to me, and the work isn't much because it's the same for every system (or at least every system that runs logcheck), which I can push out with ansible, where the filters have to be much more system- (or service-)specific. The full logs are of course still there if I need to go back and look for something. I don't find writing logcheck filters to be a particularly big time sink. But if you do then it might alter the balance for you. Thanks for your input :-) Richard
Re: Thoughts on logcheck?
Hello, On Fri, Jul 29, 2022 at 04:30:19PM +1200, Richard Hector wrote: > My thought is to configure rsyslog to create extra logfiles, equivalent to > syslog and auth.log (the two files that logcheck monitors by default), which > only log messages at priority 'warning' or above, and configure logcheck to > monitor those instead. This should cut down the amount of filter maintenance > considerably. > > Does this sound like a reasonable idea? Personally I wouldn't (and don't) do it. It sounds like a bunch of work only to end up with things that get logged anyway (as you noted) plus the risk of missing other interesting things. I don't find writing logcheck filters to be a particularly big time sink. But if you do then it might alter the balance for you. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Thoughts on logcheck?
Hi all, I've used logcheck for ages, to email me about potential problems from my log files. I end up spending a lot of time scanning the emails, and then occasionally a bunch of time updating the filter rules to stop most of those messages coming through. My thought is to configure rsyslog to create extra logfiles, equivalent to syslog and auth.log (the two files that logcheck monitors by default), which only log messages at priority 'warning' or above, and configure logcheck to monitor those instead. This should cut down the amount of filter maintenance considerably. Does this sound like a reasonable idea? A quick test does show that I'll still get messages I can't do much about - eg I telnetted to the ssh port and closed the connection, and my logfile reported that interaction as an error. That kind of thing should still be easily filtered, though. I think I'd want to create a completely fresh set of filters, rather than using the supplied defaults, but I'm not sure about that yet. Cheers, Richard
