Blue Light
Space shortcuts
Child pages
  • Logcheck administration
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

When logcheck mails a message, it means logcheck is not configured to filter it out.

The first question is "Should the message be filtered out?".  Perhaps the message shows there's an issue that should be resolved.  Perhaps the message is generated so rarely that it is not worth the work of filtering out.  Server boot messages are like that.

If the message should be filtered out ... 

Determine which directory logcheck is loading its filter files from.  Normally this is /etc/logcheck/ignore.d.server.  It can be changed in the configuration file and by logcheck command line option -c.  Assuming logcheck is loading its filter files from /etc/logcheck/ignore.d.server ...

Is there already a file for this "package"?  The package name should appear in the unfiltered message, the same as it appears in the log file.  For example, in this message ...

Feb 15 06:25:15 LS1 ovpn-client.BLAV[1667]: read UDPv4 [EMSGSIZE Path-MTU=1400]: Message too long (code=90)

... the part in red is the "package" name.  Except things are seldom so simple; ovpn-client messages come from software installed by the openvpn package.

Filter files installed by the logcheck package are named after the packages who's messages they filter, for example /etc/logcheck/ignore.d.server/openvpn.

If there is a file for this package, it will likely have some filters that could be used as basis for the new filter.  Each line in a filter file is a regular expression that matches the message it filters out.  For example:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ (openvpn|ovpn-[._[:alnum:]-]+)\[[[:digit:]]+\]:( ([-_.@[:alnum:]]+/)?[.[:digit:]]{7,15}:[[:digit:]]{2,5})? Replay-window backtrack occurred \[[[:digit:]]+\]$

  1. The grey part matches from start of the line through the time stamp and server name.  It is common to most (all?) filters.
  2. The green part matches the package name (for openvpn extended with the config file name) and [the service's PID]:
  3. The rest is specific to this particular message.
  4. To ensure a complete match, filters begin with ^ and end with $.

Further information (includes tips on writing and testing filters):

zcat /usr/share/doc/logcheck-database/README.logcheck-database.gz | less

Notes on README.logcheck-database:

  • When debugging regexes, progressively right truncate the regex until match found. Sometimes egrep’s -o option is helpful (it shows what has been matched).
  • If using sort to order filter files as suggested, sort's -V option may be required.
  • Multiple local-<package name> files have the advantage of being installable and removable with the associated package.



  • No labels