Home / server / Questions / 676643
In Process
vautee
Asked: 2015-03-20 01:12:09 +0800 CST

systemd logcheck rule not working

  • 772

given is this logcheck rule:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user [^[:space:]]+\.$

and this log entry:

Mar 19 09:16:09 horst kernel: [3257039.867032] <38>systemd-logind[193047]: New session 24987 of user icinga.

These don't seem to match, unfortunately I cannot find a matching (sic) rule for the <38> thing. And yes, this seems to be a static number.

logging

1 Answers

  1. Where the <38> comes from

    in RFC 3164, the heading 4.1.1 PRI Part describes the function of <38>. It is the facility and severity of the message combined into one number:

    facility * 8 + severity = 38
facility = 4 = "AUTH"
severity = 6 = "INFO"

    This number is normally stripped off by the syslog daemon before writing it to a file.

    How to fix the regular expression

    The best way to find the problem in this case is to compare the regular expression to the line part by part. You did not match the kernel: [123.456] part:

    ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:] .-]+\] <38>systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user [^[:space:]]+\.$
    • 0