On Thu, 16 Mar 2023, 12:21 Holger Levsen, <hol...@debian.org> wrote: > > > since bookworm rsyslog defaults to timestamps in short-iso-precise format, > while logcheck rules (and journald) still default to the old rule format, >
I dont understand - logcheck rules cater for both formats since 1.4.1 iirc and this is already explained in NEWS.Debian. (and i thought that included instructions for updating local rules in that) can you clarify what the request for logcheck is here? Did you maybe not upgade logcheck-database to latest version? and while the default logcheck rules in the package are easily switched, > this poses problems for larger installations with local logcheck rules > used on systems running different suites. > the longer term solution is perhaps macros in rules, which may happen in trixie. then rules can start ^@TIMESTAMP @HOSTNAME:.....$ (or whatever syntax is chosen) and you could set TIMESTAMP to whatever you liked.... > <mbiebl> | h01ger: I wasn't aware that logcheck checks the journal until 2 > weeks ago someone asked about it > <mbiebl> https://github.com/systemd/systemd/issues/26639 was the result > of this discussion > <h01ger> yeah, its a new feature (and sensible! i want it!) > it's actually not a new feature, was possible in at least bulleye, just enabled it by default recently given the downgrade of rsyslog <h01ger> mbiebl: issues/26639 seems sensible too. will/shall that land in > bookworm? > <mbiebl> atm, it doesn't look like > <h01ger> dropping timestamps from all logcheck rules could migate this and > is an easy way to run mixed suite setups > not sure the package should drop the prefixes, <h01ger> though it makes me wonder why i kept those for the last 10 or so > years, if they now suddenly are not needed ;) > <h01ger> breaking habbits.. > <mbiebl> maybe you could make the existing parsing/regexps work with both > formats > <mbiebl> 2023-03-16T12:45:45.159206+01:00 > <mbiebl> vs > <mbiebl> 2023-03-16T12:50:13.503482+0100 > <mbiebl> you'd basically just need an optional ':' in the timezone > information > <mbiebl> that is rsyslog and journalctl --output=short-iso-precise > <h01ger> doesnt help with systems not yet running bookworm. > <h01ger> (and those are not all running bullseye either, but older > releases too) > <mbiebl> I thought this was about fixing it in bookworm > <h01ger> well, its also about using logcheck for all 'my' systems. i > (co-)maintain several setups using logcheck... > <h01ger> and i'm sure i'm not the only one who'll encounter this > <h01ger> since when do both rsyslog and journalctl support > --output=short-iso-precise ? > <h01ger> #475303 is from 2008, so i assume changing rsyslog format for old > systems could work > <mbiebl> rsyslog uses rfc 3339 by default since bookworm (has supported > for 10+years), journald supports short-iso-precise since I can reemember > <h01ger> cool, so i'll switch to short-iso-precise everywhere at once > <mbiebl> systemd, just checked: since v234 > <h01ger> i guess this could be a NEWS entry for logcheck > <mbiebl> | h01ger: so you'd miss o-o-stable (v232) > <h01ger> mbiebl: can i put this conversation in a wishlist bug against > logcheck, asking to document this in NEWS? > <mbiebl> It was my impression that logcheck changed the regexps which > match the timestamps in a way that both matched the old and new format? yes! >
