Package: logcheck Version: 1.4.2 Severity: wishlist Dear Maintainer,
since bookworm rsyslog defaults to timestamps in short-iso-precise format, while logcheck rules (and journald) still default to the old rule format, and while the default logcheck rules in the package are easily switched, this poses problems for larger installations with local logcheck rules used on systems running different suites. So I'd recommend to add some advice to logcheck/debian/NEWS based on this conversation on #debian-devel just now: <h01ger> mbiebl: given #475303 as context, what's your advice on resolving this: rsyslog now uses new time format, journald uses the old format and logcheck rules are in the old format. does journald use the old format because this is bookworm upgraded and not fresh install? should i simply remove/ignore the timestamps in my logcheck rules? should we add some hint to the release notes? - zwiebelbot- | (#debian-devel) Debian#475303: Enable support for high precision timestamps - https://bugs.debian.org/475303 <mbiebl> | h01ger: I wasn't aware that logcheck checks the journal until 2 weeks ago someone asked about it <mbiebl> https://github.com/systemd/systemd/issues/26639 was the result of this discussion <h01ger> yeah, its a new feature (and sensible! i want it!) <h01ger> mbiebl: issues/26639 seems sensible too. will/shall that land in bookworm? <mbiebl> atm, it doesn't look like <h01ger> dropping timestamps from all logcheck rules could migate this and is an easy way to run mixed suite setups <h01ger> though it makes me wonder why i kept those for the last 10 or so years, if they now suddenly are not needed ;) <h01ger> breaking habbits.. <mbiebl> maybe you could make the existing parsing/regexps work with both formats <mbiebl> 2023-03-16T12:45:45.159206+01:00 <mbiebl> vs <mbiebl> 2023-03-16T12:50:13.503482+0100 <mbiebl> you'd basically just need an optional ':' in the timezone information <mbiebl> that is rsyslog and journalctl --output=short-iso-precise <h01ger> doesnt help with systems not yet running bookworm. <h01ger> (and those are not all running bullseye either, but older releases too) <mbiebl> I thought this was about fixing it in bookworm <h01ger> well, its also about using logcheck for all 'my' systems. i (co-)maintain several setups using logcheck... <h01ger> and i'm sure i'm not the only one who'll encounter this <h01ger> since when do both rsyslog and journalctl support --output=short-iso-precise ? <h01ger> #475303 is from 2008, so i assume changing rsyslog format for old systems could work <mbiebl> rsyslog uses rfc 3339 by default since bookworm (has supported for 10+years), journald supports short-iso-precise since I can reemember <h01ger> cool, so i'll switch to short-iso-precise everywhere at once <mbiebl> systemd, just checked: since v234 <h01ger> i guess this could be a NEWS entry for logcheck <mbiebl> | h01ger: so you'd miss o-o-stable (v232) <h01ger> mbiebl: can i put this conversation in a wishlist bug against logcheck, asking to document this in NEWS? <mbiebl> It was my impression that logcheck changed the regexps which match the timestamps in a way that both matched the old and new format? <mbiebl> sure, feel free to quote this wherever you like <h01ger> mbiebl: everyone using logcheck has local rules which need to be changed <h01ger> hmpf, one setup has 13 machines still running stretch... <h01ger> mbiebl: & thanks! ("feel free..") <mbiebl> we do provide backports fwiw <mbiebl> not sure if that is option in your case <h01ger> it is, thanks! <h01ger> systemd | 241-5~bpo9+1 | stretch-backports <h01ger> cool cool. happy this is conceptually solved now ;) i've migrated very few systems to bookworm yet and have been noticing those 1-2 new daily mails since 2 weeks or so, knowing this will need solving eventually... <h01ger> mbiebl: thank you very much for this conversation! -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ The pandemic isn’t over. We just stopped caring about other people.
signature.asc
Description: PGP signature
