Ross Boylan
2006-Nov-06 22:53 UTC
[Logcheck-users] rule seems to be matching all but last occurrence
Every hour I get a mail from logcheck with a line like Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux.admin to global expire 50 The strange thing is that syslog is filled with similar lines, but this is the only one I get in the report. It is the last such line in each group: # many similar lines deleted Nov 6 12:08:32 wheat fetchnews[13617]: comp.std.c++: considering articles 177500 - 177504 Nov 6 12:08:34 wheat fetchnews[13617]: comp.std.c++: 5 articles fetched (to 6683), 0 killed Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for tsoft.general to global expire 50 Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.parallel to global expire 50 Nov 6 12:08:34 wheat fetchnews[13617]: comp.parallel: no new articles Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for news.announce.newusers to global expire 50 Nov 6 12:08:34 wheat fetchnews[13617]: news.announce.newusers: no new articles Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux to global expire 50 Nov 6 12:08:34 wheat fetchnews[13617]: comp.os.linux: no new articles Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux.admin to global expire 50 Nov 6 12:08:34 wheat fetchnews[13617]: comp.os.linux.admin: no new articles Nov 6 12:08:36 wheat fetchnews[13617]: wrote active file with 80596 lines Nov 6 12:08:36 wheat fetchnews[13617]: child has process ID 13638 I have a pattern in ignore.d.server/local: fetchnews\[[[:digit:]]+\]: (yes, I know that's sloppy). In terms of obvious checks, logcheck.conf has REPORTLEVEL="workstation" and wheat:/etc/logcheck# ls -l ignore.d.server/local -r--r--r-- 1 root logcheck 5041 Jun 25 2005 ignore.d.server/local When I run syslog through egrep with this pattern, it picks out the line. The fact that I don't have tons of entries with "clamping maxage" also suggests it is (mostly) working, since none of the stock leafnode entries match that. So, any suggestions how to figure out what is going on? Thanks. Ross Boylan P.S. fetchnews is part of leafnode, which provides its own set of rules. Once I get something working, I plan to let them know about it. They also have duplicated entries in ignore.d.paranoid and server.
Ross Boylan
2006-Nov-12 02:24 UTC
[Logcheck-users] Re: rule seems to be matching all but last occurrence [SOLVED]
On Mon, Nov 06, 2006 at 01:29:13PM -0800, Ross Boylan wrote:> Every hour I get a mail from logcheck with a line like > Nov 6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux.admin to global expire 50This was matching the "admin" pattern in violations.d/logcheck. That is why similar lines didn't show up (they didn't have admin in the group name) and why my fiddles in ignore.d.server had no effect (this was a "Security Event" not a "System Event"). I've developed some rules that I think fix it (and some other things) up, but will test them for awhile. When they look good, I'll submit a bug, unless you'd prefer I just mail them to this list. Ross Boylan