control: + moreinfo
thanks
Hi James - was there any follwup on the suggestions below?
the latest logcheck (now in testing) should gives more readable information
when run with the '-d' option which can help debug issues with rules (a bit
anyway).
Otherwise, we would close this bug as unactionable
On Tue, 20 Sep 2022 17:31:20 +0100 Richard Lewis <
richard.lewis.deb...@googlemail.com> wrote:
> Not sure this will help you, but no-one else replied so: i have previously
> looked at the logcheck code and i didnt see any way for there to be a bug
> where a rule matches but have output be sent anyway - (the way the
paranoid
> level is implemented is less clear, but that does not apply here as far as
> i can see): the relevent code in logcheck just uses grep and emails
> anything not matched.
>
> So this will be an issue in your rules somehow - although i dont see
> anything wrong either.
>
> Can you rule out a timing issue where the rule was added after the cron
job
> started, eg because the file was sitting unsaved in an editor? - logcheck
> copies all the rules when it starts. i have done this myself many times.
>
> The one small thing that jumped out to me is that the rule in question is
> not terminated by a $ - Could there be some whitespace issues here?
> (logcheck doesnt care what the rule looks like. but it does do some
> pre-processing to remove trailing whitespace - i dont recall but i suspect
> logcheck-test does not do that, and it definitely does not understand the
> (bizarre) exclusions and counter exclusions of paranoid rules that
logcheck
> uses - i would not rely on logcheck-test).
>
> the other thing is that the . are not escaped. (i dont see why that should
> matter here)
>
> i'd recommend copying the syslog file and testing the rule matches with
grep
>
> sorry for not being more helpful
>
> On Sun, 4 Sep 2022, 16:32 James Graves, <dms.sysad...@deltamobile.com>
> wrote:
>
> > Package: logcheck
> > Version: 1.3.23
> > Severity: normal
> >
> > I received an email for some chatter from systemd:
> >
> > System Events
> > =-=-=-=-=-=-=
> > Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary
Directories.
> >
> > And indeed this line does exist in /var/log/syslog:
> >
> >
> > However, this is already matched by a rule:
> >
> > # cd /etc/logcheck/ignore.d.server/
> > # grep Cleanup local-systemd
> > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]:
Starting
> > Cleanup of Temporary Directories...$
> > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]:
Started
> > Cleanup of Temporary Directories.$
> > ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]:
Finished
> > Cleanup of Temporary Directories.
> >
> > And the rule _does_ work:
> >
> > # logcheck-test -l /var/log/syslog -r local-systemd | grep Cleanup
> > Aug 28 13:58:24 lxc2 systemd[1]: Starting Cleanup of Temporary
