Erich Schubert
2006-Jan-04 23:30 UTC
[Logcheck-devel] Bug#241526: logcheck: Logcheck ignoring by number of occurrences
Package: logcheck Version: 1.2.42 Followup-For: Bug #241526 Hi, I'd also like to be able to ignore messages unless they occur too often, and maybe group certain messages when they occur very often. A typical example is postfix/smtp: connect to mx3.mail.yahoo.com[64.156.215.18]: read timeout (port 25) Oh my god! This really is critical information, isn't it? Well, when your server has like dozens of them it probably means something is broken with your network connectivitiy; then it's useful to know. As long as there are only single of these messages, they should just be ignored... Similarly: grouping them by the number of hits - like dicitionary attacks. For dictionary attacks, only the first and last attempt is that interesting that I'd like to see it in the logcheck result; if I need the complete data I can still access the original logfile. Thanks, Erich
Todd Troxell
2006-Jan-06 14:34 UTC
Bug#241526: [Logcheck-devel] Bug#241526: logcheck: Logcheck ignoring by number of occurrences
Hey Erich, On Thu, Jan 05, 2006 at 12:30:33AM +0100, Erich Schubert wrote:> Hi, > I'd also like to be able to ignore messages unless they occur too often, > and maybe group certain messages when they occur very often. > > A typical example is > postfix/smtp: connect to mx3.mail.yahoo.com[64.156.215.18]: read timeout > (port 25) > > Oh my god! This really is critical information, isn't it? > Well, when your server has like dozens of them it probably means > something is broken with your network connectivitiy; then it's useful to > know. As long as there are only single of these messages, they should > just be ignored... > > Similarly: > grouping them by the number of hits - like dicitionary attacks. > For dictionary attacks, only the first and last attempt is that > interesting that I'd like to see it in the logcheck result; if I need > the complete data I can still access the original logfile.While I'm generally opposed to adding this complexity to logcheck, (There's not really a simple implementation given the way we use egrep.) I'm not opposed to optionally doing things like this in post-processing. I've added a note to the IdeaPool[0] about this. [0] http://wiki.logcheck.org/index.cgi/IdeaPool -- Todd Troxell http://rapidpacket.com/~xtat