Package: logcheck
Version: 1.3.23
Severity: normal
I received an email for some chatter from systemd:
System Events
=-=-=-=-=-=-=
Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
And indeed this line does exist in /var/log/syslog:
# grep "Finished Cleanup" /var/log/syslog
Aug 28 13:58:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
Aug 29 13:59:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
However, this is already matched by a rule:
# cd /etc/logcheck/ignore.d.server/
# grep Cleanup local-systemd
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Starting
Cleanup of Temporary Directories...$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Started
Cleanup of Temporary Directories.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Finished
Cleanup of Temporary Directories.
And the rule _does_ work:
# logcheck-test -l /var/log/syslog -r local-systemd | grep Cleanup
Aug 28 13:58:24 lxc2 systemd[1]: Starting Cleanup of Temporary Directories...
Aug 28 13:58:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
Aug 29 13:59:24 lxc2 systemd[1]: Starting Cleanup of Temporary Directories...
Aug 29 13:59:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
Aug 30 14:00:24 lxc2 systemd[1]: Starting Cleanup of Temporary Directories...
Aug 30 14:00:24 lxc2 systemd[1]: Finished Cleanup of Temporary Directories.
So the rule to ignore the 'Finished' line on August 30th, 14:00:24 does work,
and yet the email was sent anyway.
This is not the only occurence, I've also seen the same thing with the line
"Starting Daily man-db regeneration..." from systemd on the same system. But in
general, the hundreds of other rules I've created work fine.
I haven't altered how logcheck is run via cron or changed the configuration
files
from the default installed by Debian.
Thanks for looking at this!
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-17-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages logcheck depends on:
ii adduser 3.118
ii cron [cron-daemon] 3.0pl1-137
ii lockfile-progs 0.1.18
ii logtail 1.3.23
ii mime-construct 1.11+nmu3
ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1
ii ssmtp [mail-transport-agent] 2.64-10
Versions of packages logcheck recommends:
ii logcheck-database 1.3.23
Versions of packages logcheck suggests:
pn syslog-summary <none>
-- no debconf information
--
This
transmission contains information from Delta Mobile Systems, Inc.,
that
may be confidential and/or privileged. The information is intended
for
the exclusive use of the planned recipient. If you are not the
intended recipient, be advised that any disclosure, copying,
distribution
or other use of this information is strictly
prohibited. If you have
received this transmission in error, please
notify the sender immediately
and delete this communication and any
attachments without making any
copies thereof.
