On Thu, 22 Feb 2024, 10:15 Ralf Schlatterbeck, <r...@runtux.com> wrote:
> On Wed, Feb 21, 2024 at 02:52:33PM +0100, Ralf Schlatterbeck wrote: > > > > I forgot to mention: > > There is an upstream (rsyslog) bug-report at > > https://github.com/rsyslog/rsyslog/issues/5332 > > Upstream has decided that it is not a bug and that both timestamp > formats are valid RFC 3339 (I've checked, the grammar explicitly defines > the sub-seconds part of the timestamp as optional). See link above. > They also think, logcheck should cope with both formats. > > So I guess that logcheck should be prepared to receive both kinds of > timestamps, the 32-byte version and the 25-byte version (without the > subseconds timestamp). > what is the default, and does logcheck cope with that? there's a limit to how much to suport out of the box - especially as rsyslog is no longer the default. if you configure a logger to produce a certain format it's not unreasonable to also have to edit logcheck rules accordingly But a longer-term solution is perhaps to allow easier customisation of rules via "macros"/variables --- a proof-of-concept for this is in progress, but not.yet ready for testing
