I’ve been a big fan of logcheck for monitoring my servers, when properly configured it works very well and is pretty flexible. Unless you are using a centralized logging system such as Splunk most of us are guilty of not thoroughly checking our logs. I like to use logcheck to perform a simple audit of what my systems are up to, it’s not perfect but certainly better then nothing.
My configuration has been tweaked a bit, adding some custom regex’s for ignoring a few common items. I found a nice debugging tip on a old posting from the logcheck-devel mailing list which mentions using egrep to test new rules:
cat <logfile> | egrep -v -f /etc/logcheck/ignore.d.workstation/regex
This has saved me a lot of time and frustration when making the final tweaks to a regex. However, recently I had some difficulties ignoring what seemed to be particularly stubborn security events. From best I could tell, grep suggested that my expression was filtering properly, yet logcheck was still reporting on these events. Finally reading through the README I discovered patterns cancelling security alarms must be places in violations.ignore.d, not ignore.d.workstation/server. Something to be mindful of.
I’ve used this command trick a lot as well. Tip (less to type and no pipe) egrep -v -f ./logcheck.rule /var/log/$logfile
grep and awk and sed and such have an option to directly work on a file instead of catting everything. Just a tip!
Yes my example certainly qualifies for a “useless invocation of cat” award, I just grabbed the code from a script where I was testing multiple logfiles at the same time. Thanks for pointing it out!