On Thu, 16 Mar 2023, 13:40 Holger Levsen, <hol...@layer-acht.org> wrote:
> On Thu, Mar 16, 2023 at 01:31:37PM +0000, Richard Lewis wrote: > > I dont understand - logcheck rules cater for both formats since 1.4.1 > iirc > > and this is already explained in NEWS.Debian. (and i thought that > included > > instructions for updating local rules in that) > > it's not. just checked the NEWS from 1.4.2 and it only explains > that systemd's journal is now also checked. no word about different time > formats. > Is it not the first entry, from version 1.4.0 from dec 2022 in /usr/share/doc/logcheck-database/README.logcheck-database.gz ?? at least on my system it is there. i think my version is non-standard (systemd unit is coming for trixie) While I can sort of see an argument for putting this in logcheck's news instead (or as well) that doesnt seem correct to me...logcheck-database is what provides the rules for normal users - it is recommended by logcheck. I would assume people not using it know what they are doing. If you really want to catch all users shouldnt it be in rsyslog's NEWS.Debian ? What do you think the best way forward is? (I do intend to write something for debian's release notes about the rsyslog change, if no-one else does.) The wider issue is that logcheck has not been a package that works out of the box without significant configuration and has had minimal attention for several debian releases. we are trying to change that, but please give us some time while we understand the gap - i think debian is slightly fortunate to be releasing bookworm with a logcheck package that works at all I suspect most of the rules in debian are so old they never match anything, and there are definitely many updates needed. but i dont think anyone has the desire to do so before bookworm. i personally dont think it is worth even contemplating that work until we have revised the way rules are selected and the format they use.
