On Thu, Feb 22, 2024 at 07:01:05PM +0000, Richard Lewis wrote:
> >
> > So I guess that logcheck should be prepared to receive both kinds of
> > timestamps, the 32-byte version and the 25-byte version (without the
> > subseconds timestamp).
>
> what is the default, and does logcheck cope with that? there's a limit to
> how much to suport out of the box - especially as rsyslog is no longer the
> default.
The current default of Debians rsyslog (after a long time where it was
the 'traditional' format) it is now RFC 3339 timestamps. This comes in
two variants, with or without the sub-seconds part. Logcheck only
supports the variant *with* sub-seconds.
By default, logcheck supports the 'traditional' format and the 32-byte
header, the pattern in most logcheck rules is
^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32})
The first alternative matched by this is something like
Feb 18 00:01:36
while the second is
2024-02-16T20:59:34.218904+01:00
The short form also produced by rsyslog is
2024-02-16T22:06:02+01:00
The third (short) form with no sub-seconds part is currently not matched
by logcheck.
You might want to simply set the match pattern to
^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{25,32})
Although rsyslog would probably never produce it, RFC 3339 allows the
sub-seconds part to be short (min 1 digit). There is no maximum in RFC
3339 but RFC 5424 prohibits more than 6 digits:
https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3.1
For RFC 3339 see p.7 section 5.6 in
https://www.rfc-editor.org/rfc/rfc3339#section-5.6
So it makes sense to match a range of lengths.
> if you configure a logger to produce a certain format it's not unreasonable
> to also have to edit logcheck rules accordingly
I'm talking about the new Debian rsyslog package's default.
And, yes, but that would mean to edit logcheck rules for each installed
package? And the new default of the rsyslog package is the two variants
of RFC 3339. Unfortunately the default for remote logging does *not*
transmit the sub-seconds part. So you end up with two timestamp formats
in the same logfile. Which is fine according to the syslog standard in
RFC 5424.
> But a longer-term solution is perhaps to allow easier customisation of
> rules via "macros"/variables --- a proof-of-concept for this is in
> progress, but not.yet ready for testing
Nice!
Thanks
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: www.runtux.com
Reichergasse 131, A-3411 Weidling email: off...@runtux.com
