Thoughts on logcheck?

[Richard Hector]

Hi all,

I've used logcheck for ages, to email me about potential problems from
my log files.

I end up spending a lot of time scanning the emails, and then
occasionally a bunch of time updating the filter rules to stop most of
those messages coming through.

My thought is to configure rsyslog to create extra logfiles, equivalent
to syslog and auth.log (the two files that logcheck monitors by
default), which only log messages at priority 'warning' or above, and
configure logcheck to monitor those instead. This should cut down the
amount of filter maintenance considerably.

Does this sound like a reasonable idea?

A quick test does show that I'll still get messages I can't do much
about - eg I telnetted to the ssh port and closed the connection, and my
logfile reported that interaction as an error. That kind of thing should
still be easily filtered, though.

I think I'd want to create a completely fresh set of filters, rather
than using the supplied defaults, but I'm not sure about that yet.

Cheers,
Richard

[Andy Smith]

Hello,

On Fri, Jul 29, 2022 at 04:30:19PM +1200, Richard Hector wrote:
> My thought is to configure rsyslog to create extra logfiles, equivalent to
> syslog and auth.log (the two files that logcheck monitors by default), which
> only log messages at priority 'warning' or above, and configure logcheck to
> monitor those instead. This should cut down the amount of filter maintenance
> considerably.
>
> Does this sound like a reasonable idea?

Personally I wouldn't (and don't) do it. It sounds like a bunch of
work only to end up with things that get logged anyway (as you
noted) plus the risk of missing other interesting things.

I don't find writing logcheck filters to be a particularly big time
sink. But if you do then it might alter the balance for you.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

[Richard Hector]

On 30/07/22 10:20, Andy Smith wrote:
> Hello,
>
> On Fri, Jul 29, 2022 at 04:30:19PM +1200, Richard Hector wrote:
>> My thought is to configure rsyslog to create extra logfiles, equivalent to
>> syslog and auth.log (the two files that logcheck monitors by default), which
>> only log messages at priority 'warning' or above, and configure logcheck to
>> monitor those instead. This should cut down the amount of filter maintenance
>> considerably.
>>
>> Does this sound like a reasonable idea?
>
> Personally I wouldn't (and don't) do it. It sounds like a bunch of
> work only to end up with things that get logged anyway (as you
> noted) plus the risk of missing other interesting things.

I started by enabling the extra logs on one system. I found I saw _more_
interesting things, because they weren't hidden by mountains of other
stuff. That's in the boot-time kernel messages, btw. I only got 14 lines
(total, not filtered by logcheck) when I was only showing warning or
higher, rather than the screeds I normally see. I never had time to go
through all those, even to read and understand them, let alone write
filters, and having to decide what was important, what not, and whether
the same messages with different values would be.

I think this will be useful to me, and the work isn't much because it's
the same for every system (or at least every system that runs logcheck),
which I can push out with ansible, where the filters have to be much
more system- (or service-)specific.

The full logs are of course still there if I need to go back and look
for something.

> I don't find writing logcheck filters to be a particularly big time
> sink. But if you do then it might alter the balance for you.

Thanks for your input :-)

Richard