On Tue, 14 Jan 2014 13:33:25 +0100 Arne Wichmann <a...@linux.de> wrote:
> There is one thing I would like to have in logcheck for quite a long time > already: > > Invent a mechanism by which a pattern is only mailed (or not mailed) if > another pattern was seen a given time before it (or also possibly after > it). > > For example I would like to make reboots invisible on some machines, but I > do want to see it if the sshd terminates as long as the machine is not > rebooting. Hi - It's a shame no-one replied to this bug in 10 years: let's change that now. The only realistic way i can see this working is to have some kind of pre-processing of log entries. I'm thinking you would write a pre-processor that takes each line in the log and look back in the journal (or syslog) for related lines -- i dont think we'd want to implement that in logcheck, as it would be a whole other project to write, but we could allow the user to do it. There are several reasons to make logcheck configurable to pre-processing ( - work on this is in progress. watch this space!). You can maybe even today do this with post-processing by writing a 'syslog-summary' script - again this would need the user to write their own code. (I think the point in the last para is basically solved by using systemd, which makes it much easier to restart daemons when they crash) In the absence of other suggestions, i suggest we implement configurable pre-processing, leave syslog-summary support in place and close this bug.
