Re: best log checker
Douglas Allan Tutty <dtutty@porchlight.ca>:
> I'm trying to find a good log checker.
>
> Basically, I want it to report anything that I don't tell it to ignore.
Well, there's always a shell script that looks for date --yesterday
(nonportable), then grep -v 'string1|string2|...' Don't laugh. It's
what I used before logcheck.
> I've tried logcheck first and when I couldn't get it to do what I want I
> tried logwatch. It has an ignore file that it says to just cut and
It does? Mine (sarge/stable) has ignore directories:
drwxr-s--- 2 root logcheck 1024 Oct 23 20:37 ignore.d.paranoid/
drwxr-s--- 2 root logcheck 2048 Aug 12 19:57 ignore.d.server/
drwxr-s--- 2 root logcheck 1024 Aug 12 19:57 ignore.d.workstation/
and the one it uses is defined in logcheck.conf. I was getting really
annoyed at seeing dumb stuff about gconfd, then I noticed I was using
"server" instead of "workstation". The ignore.d.workstation includes
a file "gconf", which lists exactly the junk I don't care about. Doh.
Of course, a server shouldn't be running insecure stuff like X.
> paste what you want to ignore. I do that and it doesn't ignore it.
> Some docs mention that its all based on regular expressions so I tried
> enclosing the lines in quotes to no avial.
Here's a typical useless message (for me):
Oct 9 16:54:42 heretic gconfd (keeling-4010): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
configuration source at
position 0
Here's an entry from gconf:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd
\([._[:alnum:]-]+-[0-9]+\): Resolved address "[^[:space:]]+"
to a read-only configuration source at position [^[:space:]]+$
That says:
- at the start of the line ("^")
- three non-whitespace chars ("Oct")
- a space
- the set of space, colon, zero through nine (eleven chars total),
then a space, then the set of period, underscore, alpha-numeric,
or dash/hyphen (more than zero of them "+")
- a space
- the string "gconfd"
- ...
> I _like_ most of what logwatch does, like telling me how many times a
> login happened, especially failed ones. I just don't like to have to
> pour through all the bootup lines every day.
Don't shutdown? Yeah, I know.
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
Spammers! http://www.spots.ab.ca/~keeling/emails.html
Reply to: