Hi, I'm running logcheck 1.2.39 on Debian Sarge (stable). At 9:00am, 3:00pm, 9:00pm and 3:00am each day I get an email alert from logcheck that looks like this: System Events =-=-=-=-=-=-Oct 5 09:00:03 [hostname] NTP: Wed 05 Oct 2005 09:00:03 AM PDT I just discovered logcheck a couple days ago and like it a lot, but figuring out how to edit the ignore lists in order to get rid of an alert like this completely escapes me. I don't know anything about regex and what I've read so far makes my head spin. I also get a long daily alert from snort that I may want to ignore. Can someone provide a step-by-step HOWTO on how to go from an alert you don't want to an edited ignore file that disposes of it (and only it). Thanks. Brian
Jamie L. Penman-Smithson
2005-Oct-05 17:09 UTC
[Logcheck-users] logcheck alerting for NTP every six hours
On Wed, 2005-10-05 at 09:21 -0700, Brian C wrote:> At 9:00am, 3:00pm, 9:00pm and 3:00am each day I get an email alert from > logcheck that looks like this: ><snip>> Oct 5 09:00:03 [hostname] NTP: Wed 05 Oct 2005 09:00:03 AM PDTIf you find messages that should be ignored, but currently are not, you should file a bug report against logcheck-database in the BTS. That way everyone benefits from an improved version of logcheck. If you've not done this before, you should read http://www.debian.org/Bugs/Reporting beforehand. To make sure you're not going to be filing a duplicate bug, try looking through the list at http://bugs.debian.org/logcheck and http://bugs.debian.org/logcheck-database. A handy tool which will guide you through the process and list bugs already reported is reportbug. There are caveats to the above, messages from software not included in Debian, startup/shutdown and debug messages will not be included in the rules packaged with logcheck. In other words, please don't file bugs. If you really want to learn about regular expressions, or you want to ignore stuff which won't be included with logcheck, there are tonnes of sites with help. One being the "Tao of Regular Expressions": http://sitescooper.org/tao_regexps.html The best idea is to go forth and Google. After that, muchos practise. If you get stuck on something specific, come let us know and we'll try and help. HTH, -- -Jamie L. Penman-Smithson <jamie@silverdream.org> t: +44 1273 424795; f: +44 1273 424795 PGP: C0A7 955E EED6 A309 23D7 863B C76A 26A3 F0DC FCA8 never send mail to: oubliette.z@gmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20051005/0066ef42/attachment.pgp