On 30/07/22 10:20, Andy Smith wrote:
Hello, On Fri, Jul 29, 2022 at 04:30:19PM +1200, Richard Hector wrote:My thought is to configure rsyslog to create extra logfiles, equivalent to syslog and auth.log (the two files that logcheck monitors by default), which only log messages at priority 'warning' or above, and configure logcheck to monitor those instead. This should cut down the amount of filter maintenance considerably. Does this sound like a reasonable idea?Personally I wouldn't (and don't) do it. It sounds like a bunch of work only to end up with things that get logged anyway (as you noted) plus the risk of missing other interesting things.
I started by enabling the extra logs on one system. I found I saw _more_ interesting things, because they weren't hidden by mountains of other stuff. That's in the boot-time kernel messages, btw. I only got 14 lines (total, not filtered by logcheck) when I was only showing warning or higher, rather than the screeds I normally see. I never had time to go through all those, even to read and understand them, let alone write filters, and having to decide what was important, what not, and whether the same messages with different values would be.
I think this will be useful to me, and the work isn't much because it's the same for every system (or at least every system that runs logcheck), which I can push out with ansible, where the filters have to be much more system- (or service-)specific.
The full logs are of course still there if I need to go back and look for something.
I don't find writing logcheck filters to be a particularly big time sink. But if you do then it might alter the balance for you.
Thanks for your input :-) Richard