Le vendredi 21 juillet 2023 à 23:32, d'après Richard Lewis <richard.lewis.deb...@googlemail.com> :
> I suppose the timestamp difference is because the journal 'gets' the > message, and then forwards it to rsyslog which then creates its own > timestamp, so even if systemd and rsyslog would agree a common format, > this will always be an issue. Yes, that's what I thought too. > Personally, i would just tell rsyslog to use the less precise format, The more precise format has been the default in rsyslog for quite some time. > (or stop using rsyslog entirely). I quite like my old habits wrt to /var/log/* :p But I now understand that all that is logged via rsyslog comes from systemd-journald anyway, so there's actually no point for logcheck to check both rsyslog files and the journal! I instructed logcheck to only look at the journal, and I therefore no longer have my "duplicates" problem. Maybe that should be the new default for the logcheck package, or at least having some explicit documentation about it? > This might be overkill, but we could make the pre-processing of log > files be more customisable, so the user could choose whatever mangling > of timestamps, whitespace and/or sorting they want. [...] The possibility of setting JOURNALCTL_OPTS would be great! I think the pre/post-processing customisation is a good idea too, to move all that logic from the code to the configuration. -- Thomas Parmelan
