Hi all,
I've used logcheck for ages, to email me about potential problems from
my log files.
I end up spending a lot of time scanning the emails, and then
occasionally a bunch of time updating the filter rules to stop most of
those messages coming through.
My thought is to configure rsyslog to create extra logfiles, equivalent
to syslog and auth.log (the two files that logcheck monitors by
default), which only log messages at priority 'warning' or above, and
configure logcheck to monitor those instead. This should cut down the
amount of filter maintenance considerably.
Does this sound like a reasonable idea?
A quick test does show that I'll still get messages I can't do much
about - eg I telnetted to the ssh port and closed the connection, and my
logfile reported that interaction as an error. That kind of thing should
still be easily filtered, though.
I think I'd want to create a completely fresh set of filters, rather
than using the supplied defaults, but I'm not sure about that yet.
Cheers,
Richard
