[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: best log checker

On Thu, Feb 01, 2007 at 02:55:12AM +0000, s. keeling wrote:
> Douglas Allan Tutty <dtutty@porchlight.ca>:
> >  I'm trying to find a good log checker.
> > 
> >  Basically, I want it to report anything that I don't tell it to ignore.
> Well, there's always a shell script that looks for date --yesterday
> (nonportable), then grep -v 'string1|string2|...'  Don't laugh.  It's
> what I used before logcheck.
> >  I've tried logcheck first and when I couldn't get it to do what I want I
> >  tried logwatch.  It has an ignore file that it says to just cut and
> It does?  Mine (sarge/stable) has ignore directories:
> drwxr-s---    2 root logcheck 1024 Oct 23 20:37 ignore.d.paranoid/
> drwxr-s---    2 root logcheck 2048 Aug 12 19:57 ignore.d.server/
> drwxr-s---    2 root logcheck 1024 Aug 12 19:57 ignore.d.workstation/
> and the one it uses is defined in logcheck.conf.  I was getting really
> annoyed at seeing dumb stuff about gconfd, then I noticed I was using
> "server" instead of "workstation".  The ignore.d.workstation includes
> a file "gconf", which lists exactly the junk I don't care about.  Doh.
> Of course, a server shouldn't be running insecure stuff like X.
> >  paste what you want to ignore.  I do that and it doesn't ignore it.
> >  Some docs mention that its all based on regular expressions so I tried
> >  enclosing the lines in quotes to no avial.
> Here's a typical useless message (for me):
>   Oct  9 16:54:42 heretic gconfd (keeling-4010): Resolved address
>        "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
>        configuration source at
>        position 0
> Here's an entry from gconf:
>   ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd 
>        \([._[:alnum:]-]+-[0-9]+\): Resolved address "[^[:space:]]+"
>        to a read-only configuration source at position [^[:space:]]+$
> That says:
>    - at the start of the line ("^")
>    - three non-whitespace chars ("Oct")
>    - a space
>    - the set of space, colon, zero through nine (eleven chars total),
>      then a space, then the set of period, underscore, alpha-numeric,
>      or dash/hyphen (more than zero of them "+")
>    - a space
>    - the string "gconfd"
>    - ...
> >  I _like_ most of what logwatch does, like telling me how many times a
> >  login happened, especially failed ones.  I just don't like to have to
> >  pour through all the bootup lines every day.
> Don't shutdown?  Yeah, I know.

Its a workstation.  I turn off most of the power at night.  

Your exaple is logcheck, which I agree relies on RE, whereas I gave up
on that because of that and tried logwatch which has an ignore file.

I _wish_ that logwatch or logcheck came out-of-the-box able to ignore
ingnorable stuff on a stock debian workstation.  

RE has always looked to me like a squirrl has been having lunch on the

Why doesn't someone make a companion interactive rule maker?  Run it in
the foreground and have it give you each line it would normally report
and you say yae or nay.  From that it could make RE rules.


Reply to: