Blue Light
Space shortcuts
Child pages
  • Logcheck administration

Versions Compared

Old Version 59

changes.mady.by.user Charles

Saved on

compared with

New Version Current

changes.mady.by.user Xavier Maysonnave

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Remark

This page is outdated.  The current version of this page is at https://redmine.auroville.org.in/projects/public-pages/wiki/Logcheck

Versions

The information on this page was developed and tested on Debian 6.0 Squeeze with logcheck is based on working with logcheck on Squeeze, Wheezy and Jessie: 1.3.13 and updated for Debian 7 Wheezy with logcheck , 1.3.15 and 1.3.17.

References

  1. Main documentation:
        Online: http://logcheck.org/docs/
        As installed: directories /usr/share/doc/logcheck and /usr/share/doc/logcheck-database.
            The .gz files may conveniently be read using zcat and less.  For example:
            zcat /usr/share/doc/logcheck-database/README.logcheck-database.gz | less
  2. logcheck man page (HTML format): http://linux.die.net/man/8/logcheck

...

The "from" address is "logcheck system account".

Terminology and naming

  • filters, patterns and rules  The logcheck documentation uses "filter", "pattern" and  "rule" interchangeably, applying them to directories, files and individual regular expressions.

...

  •   On this WIKI page, only "filter"

...

  • is used.  It is used only to mean a single filter (a line in a file).  On this page, a file of filters is called a "filter file".
  • server and workstation are filtering levels, not computer roles.  From README.logcheck:
    • "ignore.d.server; as the name implies, this is intended to cut out the routine messages ..."

    • "ignore.d.workstation.  "... is only appropriate for relatively sheltered, non-critical machines"

  • Filter file names  The filter file for generic messages is called "logcheck".  The rest of the filter files are named after a Debian package and contain filters for messages generated by software in the package.

logcheck emails

Unwanted messages under ATTACK ALERT

...

When considering third party filters, be aware that they may be designed to suit particular local conditions so not as widely suitable as filters from logcheck and other packages.  For example, the Blue Light filter files are designed to suit low reliability Internet connections; in other locations, messages which we filter out as routine would indicate an unusual event requiring attention.

...

  • If using sort to order filter files as suggested, sort's --version-sort (-V) option may be required.
  • Multiple local-<package name> files have the advantage of being installable and removable with the associated package.

 


Installing filters in a filter file

...

In case a standard set of local-* filter files are installed on multiple computers and the set needs to be extended, a different naming convention is needed for the extra files. They may, for example, be for a specific role, configuration or defect.  They could be called :

  • The processing load can be reduced by installing them with extension .disabled and only removing it when needed.
  • Host-specific filter files can have prefix local-local-

...

Backups

If updating an existing file, the original can be backed up with a name which is not entirely of upper and lower case letters, digits, underscores, and hyphens; for example local-foo.bak or local-foo~.  These files will not be used by logcheck.

...