Re: logcheck/testing
On Sun, 2 Dec 2001, Volker Schlecht wrote:
> I'm having a major problem with the version of logcheck currently in
> testing. Apparently logcheck has by now decided that log entries by
> iptables (which are found in /var/log/syslog, /var/log/messages AND
> /var/log/kern.log, all of which are neatly listed in
> logcheck.logfiles) are not really important even at a "paranoid"
> setting, and with logcheck.ingnore.paranoid emptied manually.
You didn't say whether you've done this or not, but check the files in
/etc/logcheck/ignore.d.paranoid/ as well; each package can insert a file
with specific instructions, rather than relying on modifications to a
single logcheck.ignore.paranoid file.
> On the other hand, the good news that fetchmail has just got a message
> is reiterated up to three times in a given mail.
This happened to me too, when I upgraded to the newest logcheck. The
reason is that some things get logged to more than one file, and if
logcheck reads the same messages from multiple files, you get it
multiple times.
My solution to that is to use syslog.conf to designate one file, say
/var/log/messages, as a catchall for anything remotely interesting
(i.e., everything but routine sendmail/named transactions), in addition
to daemon.log, auth.log, et al. Then I put only /var/log/messages into
logcheck.logfiles; so long as everything I'm interested in gets logged
to messages as well as wherever else it's going, I only get one copy
of alerts.
- Aaron
--
Aaron Hall : Buster, it may come as a complete surprise to you
ahall@vitaphone.net : to find that _this_ is an animated cartoon.
Macintosh/UNIX Weenie, Network Flack, and...eh, whatever.
Reply to: