Re: Filter logcheck reboot messages?
On Sat, Dec 09, 2017 at 04:49:09PM +0100, Sven Hartge wrote:
> Ulf Volmer <u.volmer@u-v.de> wrote:
> > On 09.12.2017 15:37, Sven Hartge wrote:
> >> Richard Hector <richard@walnut.gen.nz> wrote:
> >>> Nobody else uses logcheck? Everyone is fine with how it works?
I use it on a few dozen servers and I'm fine with how it works.
Yes, the majority of the content in the reboot messages is just routine
stuff, so I skip over it, checking only the first few lines and the last
few lines for anything questionable, without bothering to examine every
single line in between. Still good to have all the "businesss as usual"
status messages in the middle, though, as that provides a record that I
can go back and examine later if any problems do crop up, and which is
independent of the machine itself, in case it's in too bad of shape to
be able to examine its logs directly.
> This is also the reason why I prefer logcheck over logwatch.
>
> With logcheck you define "normal behavior" and it gets filtered out. The
> rest is then per definition "abnormal behavior" and gets send via mail.
>
> For logwatch on the other side you define the "abnormal behavior"
> beforehand, which I find much more inconvenient and difficult, because I
> mostly don't know if something is normal or not before I can see it.
I actually use both. logcheck gives me quick (hourly) notice of
abnormal events when they occur and logwatch gives me daily summaries of
each machine's activity - not just unusual log messages, but also
actions taken by fail2ban, numbers of failed login attempts by source,
disk space status, etc. logwatch can also serve as a (slow) heartbeat
for detecting machines which have failed or had their disks go into
read-only mode (which prevents logs from being written, so logcheck has
no log activity to report on) by setting up a script which knows what
logcheck reports should be received each day and warns if any are
missing.
--
Dave Sherohman
Reply to: