Re: [RFC] changes to rsyslog

To: debian-devel@lists.debian.org
Subject: Re: [RFC] changes to rsyslog
From: "Trent W. Buck" <trentbuck@gmail.com>
Date: Sun, 21 Nov 2021 16:59:40 +1100
Message-id: <[🔎] 875ysmrqur.fsf@gmail.com>
References: <[🔎] 8120ce79-b017-4612-8877-bd2fb7e6847c@www.fastmail.com> <[🔎] a120eb883ca04a419f41c852e27853e215d1bcf0.camel@debian.org>

Paul Wise <pabs@debian.org> writes:

> On Tue, 2021-11-16 at 17:57 -0500, Zack Weinberg wrote:
>> Do you know of a tool that does what logcheck does, but operating
>> directly on the journal?  Logcheck is the only reason I still have
>> rsyslog installed on the servers I maintain.
>
> https://github.com/cyberitsolutions/journalcheck

^ This is me.

The main limitation is journald's choice of HTTPS pull instead of RELP push:

    https://github.com/cyberitsolutions/journalcheck/blob/master/debian/control#L20-L22

journalcheck also includes a cleanup/rewrite of syslog-summary, and
it accepts logcheck-database as-is.
IIRC it also includes some tricks to get a 1000-fold speedup compared to
stock logcheck (by working around some GNU grep performance tradeoffs).

I haven't pursued getting it into Debian because
what I have is Good Enough For MeTM.

If other people are interested I'm happy to just hand over the project.
Or I can afford a couple of contact hours a month.

PS: I don't read this ML regularly, so please CC me any followups.

Reply to:

References:
- Re: [RFC] changes to rsyslog
  - From: "Zack Weinberg" <zack@owlfolio.org>
- Re: [RFC] changes to rsyslog
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Bug#1000297: ITP: node-jose -- JOSE library without dependencies
Next by Date: Re: Accepted nspr 2:4.32-2 (source) into unstable
Previous by thread: Re: [RFC] changes to rsyslog
Next by thread: Bug#999629: ITP: ponymix -- CLI volume control for PulseAudio
Index(es):
- Date
- Thread