On Fri, 3 May 2024, 12:44 Francesco Potortì, <poto...@isti.cnr.it> wrote:
> > > One cure would be to have logcheck ignore user-level messages, and only > care about system-level ones. Is that possible? > > > >maybe it is possible - how do you define "system-level message"? > > Those created by root-owned processes, that would be a good start. I > definitely care about Sshd messages, much less about Gvfsd ones, and even > less by those generated by Telegram running over Snapd. For some reason, > the problem has vastly increased after the advent of systemctl. The options seem to be 1.you make a local rule that ignores all messages from known culprets -- so you might jusy want to do a version of "^timestamp hostname (Telegram|gvfsd)". This works today, but does need you to know what you want to ignore 2.you tell logcheck to.not check the journal at all - also possoble today: simply remove "journal" from the file in /etc/logcheck/logcheck.logfiles.d (i dont know if this is that helpful!) 3. i have work in progress to allow you to tell logcheck to only check a subset of the journal by passif arguments to journalctl. Looking at the journalctl.man-page: --unit ssh.service will only show messages from ssh eg --system might exclude things like telegram (untested!) eg --priority might also be helpful eg _UID=0 might select only things run by root (but that would probably exclude things run by special users like apache) eg --priority might also help? This needs a small change in logcheck to make JOURNALCTL_OPTS settable from the config file - this is WiP already! (logcheck currently hardcoded this to an empty array) other thoughts: - we could definitely make logcheck only report the first N lines. I can broadly see how to implement this. you can almost do this today by making a "syslog-summary" script!
