[Logcheck-devel] Integrating rules from other packages back into logcheck

Eric Evans eevans at sym-link.com
Sat Jun 4 20:01:33 UTC 2005 

> On Fri, 03 Jun 2005, Eric Evans wrote:
> > IMO, the more package maintainers we can get to manage their own rules,
> > the better. Not to save us work, but because they likely know the
> > software they are packaging better than we do.
> > 
> > There is nothing that says that we can't audit rules that are included
> > in other packages and submit patches to the BTS.
> 
> naaa,
> other package maintainer don't care about logcheck rules.
> they either get it by a random bug submitter or by patches
> of one of us, and then they even get it wrong, 
> see the ntpdate case.

My first thought when reading this was, "Do we have a metric for often
they get it right?". Rather than asking it, I did a little research and
here is what I found.

- There appears to be 50 packages in the archive that are adding their
  own logcheck rules.

- For these 50 packages, there are 101 rules files, with about 1156
  total rules.

- Of the 101 files, I found 77 of them to not meet the
  conventions/standards of the logcheck team, (~76%). This accounts for 
  about 1050 of 1156 total rules, (~90%).

This was a very loosely conducted audit. I spent no more than a few
seconds looking at each file so it pretty much only reflects obvious
mistakes. However, it is worth noting that the majority of the ones I
found "non-conforming" didn't appear to miss the target by much. The
most common error was not providing a match of the complete line,
starting with the timestamp, and ending with a "$".

One thing that I feel compelled to ask is, are our standards really 
appropriate, or better yet, are there things we could to do make rules
maintenance easier on developers? For example, if the most common 
mistake is the omission of a match on the timestamp, maybe we should be 
prepending that ourselves for every syslog generated log we parse.

> as nice this assumptions sound and doesn't work in practice.
> an active logcheck team can get much better quality.

You may be right, but I feel relatively certain that this should not be
the case. There just aren't enough people on the logcheck team to match
the collective expertise of the maintainers of these packages.

I'd really like to see us put our heads together to come up with some
ideas for fixing the problem and making maintainer included rules an
asset rather than a, (perceived?), curse.


-- 
Eric Evans
eevans at sym-link.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050604/2d725000/attachment.pgp

More information about the Logcheck-devel mailing list