control: + moreinfo thanks Hi James - was there any follwup on the suggestions below?
the latest logcheck (now in testing) should gives more readable information when run with the '-d' option which can help debug issues with rules (a bit anyway). Otherwise, we would close this bug as unactionable On Tue, 20 Sep 2022 17:31:20 +0100 Richard Lewis < richard.lewis.deb...@googlemail.com> wrote: > Not sure this will help you, but no-one else replied so: i have previously > looked at the logcheck code and i didnt see any way for there to be a bug > where a rule matches but have output be sent anyway - (the way the paranoid > level is implemented is less clear, but that does not apply here as far as > i can see): the relevent code in logcheck just uses grep and emails > anything not matched. > > So this will be an issue in your rules somehow - although i dont see > anything wrong either. > > Can you rule out a timing issue where the rule was added after the cron job > started, eg because the file was sitting unsaved in an editor? - logcheck > copies all the rules when it starts. i have done this myself many times. > > The one small thing that jumped out to me is that the rule in question is > not terminated by a $ - Could there be some whitespace issues here? > (logcheck doesnt care what the rule looks like. but it does do some > pre-processing to remove trailing whitespace - i dont recall but i suspect > logcheck-test does not do that, and it definitely does not understand the > (bizarre) exclusions and counter exclusions of paranoid rules that logcheck > uses - i would not rely on logcheck-test). > > the other thing is that the . are not escaped. (i dont see why that should > matter here) > > i'd recommend copying the syslog file and testing the rule matches with grep > > sorry for not being more helpful > > On Sun, 4 Sep 2022, 16:32 James Graves, <dms.sysad...@deltamobile.com> > wrote: > > > Package: logcheck > > Version: 1.3.23 > > Severity: normal > > > > I received an email for some chatter from systemd: > > > > System Events > > =-=-=-=-=-=-= > > Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories. > > > > And indeed this line does exist in /var/log/syslog: > > > > > > However, this is already matched by a rule: > > > > # cd /etc/logcheck/ignore.d.server/ > > # grep Cleanup local-systemd > > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Starting > > Cleanup of Temporary Directories...$ > > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Started > > Cleanup of Temporary Directories.$ > > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished > > Cleanup of Temporary Directories. > > > > And the rule _does_ work: > > > > # logcheck-test -l /var/log/syslog -r local-systemd | grep Cleanup > > Aug 28 13:58:24 lxc2 systemd[1]: Starting Cleanup of Temporary