Bug#1031786: logcheck: Filtering not working with entries from journald

Helge Kreutzmann Wed, 22 Feb 2023 09:51:15 -0800

Package: logcheck
Version: 1.4.1
Severity: grave
Justification: renders package unusable


The change for #1025719 broke logcheck massively.

I've extensivly tuned logcheck files which nicely filter out lots of
messages (see statistics at the end).

Now I see them all again (only those comming from the journal). 

I don't see any information what I should do for migration.

Let's use a trivial example. The following harmless message is emitted
by courier to the journal:
Feb 22 16:37:40 meinfjell courierd[401638]: Installing uucp

In syslog this is:
syslog:2023-02-22T14:37:40.491690+00:00 meinfjell courierd: Installing uucp

I have the following in 
/etc/logcheck/ignore.d.server:
meinfjell courierd: Initializing uucp


As you can see, the message from the journal is slightly different
than from syslog, breaking tons of rules.

If such a feature is introduced, it should definitely have a switch so
that admins can decide when to change (requires adapting many rules).
Filtering both looks very impractical.

For statistics:
On my local system, I have 11396 lines of rules, on my server system
currently 2721 (I'm in the processing of setting this up, so this will
grow).


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.9 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to de_DE.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages logcheck depends on:
ii  adduser                                    3.131
ii  cron [cron-daemon]                         3.0pl1-156
ii  exim4-daemon-light [mail-transport-agent]  4.96-14
ii  lockfile-progs                             0.1.19
ii  logtail                                    1.4.1
ii  mime-construct                             1.12+really1.11-1

Versions of packages logcheck recommends:
ii  logcheck-database  1.4.1

Versions of packages logcheck suggests:
ii  rsyslog [system-log-daemon]  8.2212.0-1

-- Configuration Files:
/etc/logcheck/header.txt [Errno 13] Keine Berechtigung: 
'/etc/logcheck/header.txt'
/etc/logcheck/logcheck.conf [Errno 13] Keine Berechtigung: 
'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Keine Berechtigung: 
'/etc/logcheck/logcheck.logfiles'
/etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Keine 
Berechtigung: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles'
/etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Keine 
Berechtigung: '/etc/logcheck/logcheck.logfiles.d/syslog.logfiles'

-- no debconf information

-- 
      Dr. Helge Kreutzmann                     deb...@helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/

signature.asc
Description: PGP signature

Bug#1031786: logcheck: Filtering not working with entries from journald

Reply via email to