[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: System log monitor

"Rene" == Rene Mayrhofer <rene.mayrhofer@vianova.at> writes:
> This is a small followup to my last message.  After thinking a bit
> about it, I think it might be better (performance-wise and when
> multiple files include the same rules - this will happen during the
> transitition period when packages start to bring logcheck rules
> files, but when they are still covered by the logcheck-shipped
> defaults) to use an update-logcheck script (like update-modules)
> that pre-generates the rules for logcheck.sh. Then they do not have
> to be generated during run-time and therefore some fancy sorting and
> filtering of duplicates can be done without getting performance
> problems.

I agree that this would be useful, but mainly as it would be a good
place to filter out the dreaded blank-lines in ignore files.  However,
WRT duplicates, if you have duplicate rule I think you would have a
problem, as that would imply that those rules were too general.

One issue that occurs to me is the danger of one badly formed ignore
regexp for a package can strip real violations out of other package
violations.  Package-specific violations and ignores should be done in
separate scans i.e. system-wide common violations and ignores are
scanned for first, and then the resulting output is run though each
group of package-specific violations and ignore rules *separately*,
rather than in series.


Reply to: