Re: best log checker

On Thu, Feb 01, 2007 at 02:55:12AM +0000, s. keeling wrote:
Douglas Allan Tutty <dtutty@xxxxxxxxxxxxx>:
I'm trying to find a good log checker.

Basically, I want it to report anything that I don't tell it to ignore.

Well, there's always a shell script that looks for date --yesterday
(nonportable), then grep -v 'string1|string2|...' Don't laugh. It's
what I used before logcheck.

I've tried logcheck first and when I couldn't get it to do what I want I
tried logwatch. It has an ignore file that it says to just cut and

It does? Mine (sarge/stable) has ignore directories:

drwxr-s--- 2 root logcheck 1024 Oct 23 20:37 ignore.d.paranoid/
drwxr-s--- 2 root logcheck 2048 Aug 12 19:57 ignore.d.server/
drwxr-s--- 2 root logcheck 1024 Aug 12 19:57 ignore.d.workstation/

and the one it uses is defined in logcheck.conf. I was getting really
annoyed at seeing dumb stuff about gconfd, then I noticed I was using
"server" instead of "workstation". The ignore.d.workstation includes
a file "gconf", which lists exactly the junk I don't care about. Doh.

Of course, a server shouldn't be running insecure stuff like X.

paste what you want to ignore. I do that and it doesn't ignore it.
Some docs mention that its all based on regular expressions so I tried
enclosing the lines in quotes to no avial.

Here's a typical useless message (for me):

Oct 9 16:54:42 heretic gconfd (keeling-4010): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
configuration source at
position 0

Here's an entry from gconf:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ gconfd
\([._[:alnum:]-]+-[0-9]+\): Resolved address "[^[:space:]]+"
to a read-only configuration source at position [^[:space:]]+$

That says:

- at the start of the line ("^")

- three non-whitespace chars ("Oct")

- a space

- the set of space, colon, zero through nine (eleven chars total),
then a space, then the set of period, underscore, alpha-numeric,
or dash/hyphen (more than zero of them "+")

- a space

- the string "gconfd"

- ...

I _like_ most of what logwatch does, like telling me how many times a
login happened, especially failed ones. I just don't like to have to
pour through all the bootup lines every day.

Don't shutdown? Yeah, I know.

Its a workstation. I turn off most of the power at night.

Your exaple is logcheck, which I agree relies on RE, whereas I gave up
on that because of that and tried logwatch which has an ignore file.

I _wish_ that logwatch or logcheck came out-of-the-box able to ignore
ingnorable stuff on a stock debian workstation.

RE has always looked to me like a squirrl has been having lunch on the
keyboard.

Why doesn't someone make a companion interactive rule maker? Run it in
the foreground and have it give you each line it would normally report
and you say yae or nay. From that it could make RE rules.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: Spam from National Semiconductor
    ... I can't seem to unsubscribe ... I now read my email by logging on to my ISP's site and going to Mail. ... I can report incoming mail as SPAM and have sources blocked. ...
    (sci.electronics.design)
  • Re: cvs commit: src/sys/pci if_xl.c
    ... kernels built yesterday & the day before. ... so I didn't report them separately, as I believed the reports would be ... some of my issues were with my laptop ... I do not "unsubscribe" from email "services" to which I have not explicitly ...
    (freebsd-current)
  • Re: Not sure who this should be sent too.....?
    ... --}> $ lyx ... Yep, that's my report. ... Universals and particulars? ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: minor fvwm config error in Sarge..
    ... seem to be an oversight of some kind. ... Report it to the Gnome-Maintainer. ... Debian GNU/Linux Consultant ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)