similar to: dedup and sort rules

hello everyone, thanks to todd 1.2.21 is out :) every release getting better, i would like to get consensus on these "important" bugs: #252078 logtail: should depend on perl >= 5.8 sarge as any other modern linux distro use perl 5.8.x, it's even inside of its base. backports are under the peril of its author if no one voices up, i'll close that bug in the next days.

Package: logcheck wanted to work on #195935, but found a less than funny issue, easy to reproduce: * remove some lines in front of your logfile * invoke logcheck you'll get a big email with all not matching lines from that log. not setting that to high priority because you are getting also the newer loglines. don't know if i find time that weekend. wanted to document it anyways. a++

Hi, See below: # getent group adm adm:x:4:root,adm,daemon And: # ls -l /var/log total 20384 -rw-r----- 1 root adm 43310 Jun 21 16:00 auth.log -rw-r----- 1 root adm 128247 Jun 19 06:47 auth.log.0 -rw-r----- 1 root adm 10318 Jun 12 06:47 auth.log.1.gz -rw-r----- 1 root adm 9508 Jun 5 06:47 auth.log.2.gz -rw-r----- 1 root adm 12475 May 29 06:47 auth.log.3.gz

Package: logcheck-database Version: 1.2.25 Severity: normal postfix/smtpd\[[0-9]+\]: lost connection after (CONNECT|DATA|RCPT|RSET|EHLO|HELO|MAIL) from Please include the above line in the ignore.d/server/postfix file. That catches messages that occur very often on busy Postfix servers. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable')

I upgraded to 1.2.28, same results. Here are the rules I added. ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ perdition\[[0-9]+\]: Connect: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[NOTICE\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd: [^[:space:]]+ \[INFO\] ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ exact\[[0-9]+\]: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ slapd\[[0-9]+\]: ^\w{3} [ :0-9]{11}

Hey team, I'll be at sea on and off this week, and as such my Internet access will depend on wifi availability while in port. 22a seems stable, but if any critical problems arise, feel free to prepare a release and bug Alfie to upload it. On the brighter side, I expect to be extremely bored while offline so I'll probably get some logcheck work done. <: Cheers, -- [ Todd J.

----- Forwarded message from General Stone <generalstone at gmx.net> ----- X-Original-To: maks at sternwelten.at Date: Mon, 2 Jan 2006 14:59:03 +0100 From: General Stone <generalstone at gmx.net> To: maximilian attems <maks at sternwelten.at> Subject: Re: [Logcheck-devel] Bug#344832: correct subject header On Mon, Jan 02, 2006 at 02:09:48PM +0100, maximilian attems wrote: >

Package: logcheck Version: 1.2.27 Severity: wishlist hello, in ignore.d.server/oidentd you have: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ oidentd\[[0-9]+\]: Connection from \ [._[:alnum:]-]+ \([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\):[0-9]{1,5}$ anyway, some oidentd logs don't have a hostname: oidentd[34562]: Connection from 241.145.24.135:2353 therefore you have to add: ^\w{3} [

hello, the debconf configuration of logcheck was removed since woody release: as logcheck's user base is targeting server admins, we don't see the need of a debconf based question regarding the frequency of logcheck. beside once per day is a good default. a note was added to documentation README.Debian that this value may be changed in /etc/cron.d/logcheck. so these bugreports will be

Package: logcheck-database Severity: wishlist Hi, the following two lines should be added either to ignore.d.server/dhcp or ignore.d.server/udhcp to ignore messages from udhcpd (other lines may be necessary) # udhcpd support ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udhcpd\[[0-9]+\]: sending OFFER of [.0-9]+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ udhcpd\[[0-9]+\]: sending ACK to [.0-9]+ filippo

On Tue, 2005-05-03 at 07:20 +0000, CVS User maks-guest wrote: > Modified Files: > logcheck.sgml > Log Message: > > minor addition describe 3 layers. > remove the url tag not recognized by docbook2man. > + > + <para>The reported messages are sorted in three different layers. > + The system events verbosity is governed by aboves level choice. > + The

On Sat, 15 May 2004, CVS User ttroxell wrote: > if [ -f /etc/logcheck/header.txt ] ; then > - $CAT /etc/logcheck/header.txt >> $TMPDIR/report > + $CAT /etc/logcheck/header.txt >> $TMPDIR/report \ > + || error "Could not append header to $TMPDIR/report Disk full?" > fi > } > > @@ -152,7 +157,8 @@ > # Add a footer

I have rules like this on my servers: ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ proftpd\[[[:digit:]]+\]: [._[:alnum:]-]+ \([._[:alnum:]-]+\[[[:digit:].]{7,15}\]\) (- )USER [-_.[:alnum:]]+: no such user found from [._[:alnum:]-]+ \[[[:digit:].]{7,15}\]\ to [[:digit:].]{7,15}:21$ basically, I just don't care about logins as nonexistent users, I get so many of those that I don't even

Package: logcheck Version: 1.2.39 Severity: normal Since I've upgraded my servers to sarge, I'm getting mail every hour for stuff that was duly included in /etc/logcheck/logcheck.ignore. Turns out that sarge's version no longer reads that file. If this was a conscious decision, then there should be some warning about this when upgrading (via debconf of NEWS.Debian). Also, the

hey todd, looked again at that return value check merge: @@ -557,7 +584,8 @@ # the same lines) and reduce CPU and memory usage afterwards. debug "Sorting logs" $SORT -m $TMPDIR/logoutput/* | uniq | sed -e 's/ *$//' \ - > $TMPDIR/logoutput-sorted + > $TMPDIR/logoutput-sorted \ + ||error "Could not output to $TMPDIR/logoutput-sorted Disk Full?" i guess

Package: logcheck-database Version: 1.2.40 Severity: wishlist Hi, Please duplicate the imap-login related lines and change them to filter out the equivalent messages emitted by pop3-login. regards Andrew -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel:

Package: logcheck Version: 1.2.20a Severity: important Since logcheck changed to run as user logcheck, the error mails of the cron daemon end up in /var/mail/logcheck where nobody reads them. Mails for logcheck should be aliased to root like all the other mails of system accounts. I was searching for a long time what was wrong with my logcheck not delivering any mails. The lock directory was

Package: logcheck Version: 1.2.42 Severity: minor Tags: patch Logcheck does not report any error if the config file is not readable or does not exists. This may easily happen, as logcheck is run as logcheck user and while one is testing a new configuration on live system with running configuration intact. Following fragment may help: # Now source the config file - before things that should

Package: logcheck Version: 1.2.23 Severity: normal Hello, I have: # /bin/cat ignore.d.server/cron ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+\) LIST \([[:alnum:]-]+\)$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crontab\[[0-9]+\]: \([[:alnum:]-]+\) REPLACE \([[:alnum:]-]+\)$ and: # /bin/cat ignore.d.paranoid/cron ^\w{3} [ :0-9]{11} [._[:alnum:]-]+

Package: logcheck Version: 1.2.20a Severity: serious Tags: patch On a system where sh points to dash and LANG=es_ES, I get this: # apt-get -y --reinstall install logcheck Leyendo lista de paquetes... 0% Leyendo lista de paquetes... 0% Leyendo lista de paquetes... 23% Leyendo lista de paquetes... Hecho Creando ?rbol de dependencias... 0% Creando ?rbol de dependencias... 0% Creando ?rbol de