[Logcheck-devel] Re: logcheck

[maks attems]

hello,

please ask such questions on logcheck-devel,
everyone from the team is reading it.
thanks.

On Fri, 15 Oct 2004, martin f krafft wrote:

> for debianbook.madduck.net, i have three questions about logcheck:
> 
>   - do you officially advocate to use local-* files for manually
>     created rule files?

yes,
personaly i prefer several local-* files contra one big local file.
both are used.
local file rules won't be overwritten by newly added
packages rules.
 
>   - are local-* files treated specially in any way?

no same as any other rule file.

 
>   - previously, the name of the violations.ignore.d rule file had to
>     be the same as the one in violations.d to be able to override
>     a rule. is this still the case, or would
> 
>       violations.d/foo:        "attack.*"
>       violations.ignore.d/bar: "attack\.org"
> 
>     cause an occurrence of attack.org to be ignored?

well your touching the still obscure corners of logcheck.
i'm wondering if that is documented, will look later:
~/src/logcheck$ egrep raise -r docs/ || echo "nothing" 
nothing

if you want to raise patterns with `violations/foo', 
you have 4 choices to ignore them:
* violations.ignore.d/foo
* violations.ignore.d/logcheck-foo
* violations.ignore.d/local-*
* violations.ignore.d/local

so you are correct violations.ignore.d/bar won't be of much good.

current infos on how to write rules are documented in
/usr/share/doc/logcheck-database/README.logcheck-database.gz


hope that helps?

 
--
maks