Table of Contents |
---|
Remark
This page is outdated. The current version of this page is at https://redmine.auroville.org.in/projects/public-pages/wiki/Logcheck
Versions
The information on this page was developed and tested on Debian 6.0 Squeeze with logcheck is based on working with logcheck on Squeeze, Wheezy and Jessie: 1.3.13 and updated for Debian 7 Wheezy with logcheck , 1.3.15 and 1.3.17.
References
- Main documentation:
Online: http://logcheck.org/docs/
As installed: directories /usr/share/doc/logcheck and /usr/share/doc/logcheck-database.
The .gz files may conveniently be read using zcat and less. For example:zcat /usr/share/doc/logcheck-database/README.logcheck-database.gz | less
- logcheck man page (HTML format): http://linux.die.net/man/8/logcheck
...
The "from" address is "logcheck system account".
Terminology and naming
- filters, patterns and rules The logcheck documentation uses "filter", "pattern" and "rule" interchangeably, applying them to directories, files and individual regular expressions.
...
- On this WIKI page, only "filter" is used. It is used only to mean a single filter (a line in a file). On this page, a file of filters is called a "filter file".
- server and workstation are filtering levels, not computer roles. From README.logcheck:
- "ignore.d.server; as the name implies, this is intended to cut out the routine messages .
...
- .."
"ignore.d.workstation. "... is only appropriate for relatively sheltered, non-critical machines"
- Filter file names The filter file for generic messages is called "logcheck". The rest of the filter files are named after a Debian package and contain filters for messages generated by software in the package.
logcheck emails
Unwanted messages under ATTACK ALERT
...
- If using sort to order filter files as suggested, sort's --version-sort (-V) option may be required.
- Multiple local-<package name> files have the advantage of being installable and removable with the associated package.
Installing filters in a filter file
...
In case a standard set of local-* filter files are installed on multiple computers and the set needs to be extended, a different naming convention is needed for the extra files. They may, for example, be for a specific role, configuration or defect. They could be called :
- The processing load can be reduced by installing them with extension .disabled and only removing it when needed.
- Host-specific filter files can have prefix local-local-
...
Backups
If updating an existing file, the original can be backed up with a name which is not entirely of upper and lower case letters, digits, underscores, and hyphens; for example local-foo.bak or local-foo~. These files will not be used by logcheck.
...