Re: LogCheck and it's rules
"Paul J. Keenan" <paul.keenan@motorola.com> writes:
> The logcheck script is in /usr/sbin/logcheck.sh - the script uses
> grep to do the pattern matching. From the source and the grep(1)
> manpage, it seems that for the lines to include in the log
> (logcheck.hacking and logcheck.violations) the matching is
> case-insensitive, but for the exclusions (logcheck.violations.ignore
> and logcheck.ignose) the matching is case-sensitive. HTH.
Actually, the Debian package uses egrep. Check the script. That's
why (as you correctly stated) you need \[. I filed bugs against the
docs and against the included default patterns a while ago, and I
believe it's being fixed.
For example, here are some (correct?) patterns I added:
uservd\[[[:digit:]]+\]: call connected$
uservd/check\[[[:digit:]]+\]: uservd\[[[:digit:]]+\] is running$
named\[.*\]: Cleaned cache of .* RRsets
named\[.*\]: USAGE .* .* CPU=.*/.* CHILDCPU=.*/.*
named\[.*\]: NSTATS .* .* A=.* PTR=.* AAAA=.*
named\[.*\]: XSTATS .* .* RR=.* RNXD=.* RFwdR=.* RDupR=.* RFail=.* RFErr=.* RErr
=.* RAXFR=.* RLame=.* ROpts=.* SSysQ=.* SAns=.* SFwdQ=.* SDupQ=.* SErr=.* RQ=.*
RIQ=.* RFwdQ=.* RDupQ=.* RTCP=.* SFwdR=.* SFail=.* SFErr=.* SNaAns=.* SNXD=.*
--
Rob Browning <rlb@cs.utexas.edu> PGP=E80E0D04F521A094 532B97F5D64E3930
Reply to: