Home / server / Questions / 526950
In Process
Alex
Asked: 2013-07-29 23:21:53 +0800 CST

Finding out which log line triggered a logcheckd notification?

  • 772

We are using the logcheck package in Debian for log-monitoring.

If I understand it correctly, logcheck monitors the logs, filters out known (normal & unimportant) messages and triggers a mail if any message occurs which might indicate a problem.

Logcheck is sending me an excerpt of the log (System Events). But the log does not look suspicious. It contains messages like:

Jul 31 08:22:03 example pop3d: Connection, ip=[::ffff:123.456.789.123]

I think logcheck sends also the surrounding part of the log if there is a line that triggered the notification - but how can I find out, which exact line triggered this mail?

linux

1 Answers

  1. One way to check the status of the log-checking is to copy all your rules to a file, and then use egrep for the analysis:

    # First of all:
cat /etc/logcheck/ignore.d.server/ > /tmp/logcheckrules

# color last 10 log lines. Darken matches (which would not trigger a warning)
tail -n10 /var/log/syslog | GREP_COLOR=30 egrep --color -f /tmp/lcd

# When you have a single line and what to check wether your regex is working:
tail n-10 /var/log/syslog | GREP_COLOR=32 egrep --color "singleRegExpGoesHere"

    It turned out that in the end lots of those messages we received, triggered log check.

    On the system there is a "courier-pop" file - but this matches for courierpop3login. So we simply copied this file and changed the string to pop3d.

    The commands

    cat /var/log/syslog|egrep -v -f /etc/logcheck/ignore.d.server/LOCAL

    to show, what is not yet filtered in this file

    cat /var/log/syslog|egrep -f /etc/logcheck/ignore.d.server/LOCAL

    to show what matches the rules of a file, or even

    cat /etc/logcheck/ignore.d.server/* | egrep -v -f /dev/stdin /var/log/syslog

    to see what is not filtered by any rules,

    are quite helpful for debugging.

    • 1