[I am crossposting this to -devel since other package maintainers might be interested in this idea. If you are, please CC me in replies, I am currently not subscribed to -devel.]
Steve wrote: > > Thanks to everyone that replied. I've installed logcheck and it works > well after a couple of iterations of weeding out the false alarms. I > suppose it would be nice if packages could supply their own violations > and ignore files to make this easier. For example, postfix would > supply a violations file containing > > postfix/(pickup|cleanup|qmgr|smtpd): .*(fatal|warn|error) > > and an ignore file like > > postfix/pickup\[[0-9]+\]: [A-Z0-9]+: uid=[0-9]+ from= > postfix/cleanup\[[0-9]+\]: [A-Z0-9]+: message-id= > postfix/qmgr\[[0-9]+\]: [A-Z0-9]+: from=.*, size=[0-9]+ > etc ... > > And logcheck does a run-parts style include of all the files plus the > defaults. Does this seem like a plausible system, and does it fit > with the debian policy. Sorry if this is just idle speculation, I'm a > bit of a newbie to the debian way of doing things. > > That said, I'd be prepared to take on implementing this if it seems > like a good idea. That is a very good idea. Implementing it in logcheck.sh should be fairly easy and I can do it for the next version of logcheck (I am the maintainer). But we would have to define a way for the packages to plug in their files. How about directories /etc/logcheck/logcheck.ignore.d /etc/logcheck/logcheck.violations.d /etc/logcheck/logcheck.violations.ignore.d /etc/logcheck/logcheck.hacking.d logcheck.sh would then use the contents of the currently existing config files and all files in those directories for it's searches. Would that be ok ? That should enable other packages to come up with appropriate rules for logcheck, but I have to remember that maintainers should be a bit paranoid when writing those default rules, so that administrators do not miss important messages unless they don't want to get notified. Does anybody have an idea how this could (with minimal overhead) be implemented with the current workstation/server/paranoid scheme that logcheck is using now for its default configuration ? Maybe this could apply to other packages (which supply logcheck rules) as well. best greets, Rene
