[Logcheck-devel] Integrating rules from other packages back into logcheck
Eric Evans
eevans at sym-link.com
Fri Jun 10 01:44:47 UTC 2005
On Wed, Jun 08, 2005 at 12:55:25PM +0200, maximilian attems muttered these words:
> you haven't proposed an alternative, have you?
After rereading the thread, it appears that we can summarize the
problems as follows:
1. There are various issues pertaining to the quality of the rules in
comparison to those distributed in logcheck proper.
2. Mis-filed bug reports are creating additional work and unnecessary
delays.
3. Users running logcheck to produce summaries on central logging
servers do not have all the rules that correspond to their log
output.
For (1) there were several speculations as to why this is, and they all
seem to point to people issues rather than technical ones, either
maintainers can't create quality rules, or they won't. (2) is also a
people issue, but as both Maks and Jamie have pointed out, it is
compounded by confusion about which package a given rule belongs to. (3)
is clearly a technical problem, one that stems from the fact that the
rules are spread out across 51 packages.
#3: Centralized logging
-----------------------
I don't think that logcheck was designed for centralized logging, and
I'm reasonably confident that those using it that way represent the
exception rather than rule. If we are to make these configurations
supported, then there will be more work required of us than the mere
aggregation of all rules into a single package.
There was talk on this list not long ago about creating some tools to
extract rules from packages in the archive for use in distributing
logcheck outside of Debian. IMO, that would be a good compromise.
#2: Mis-filed bug reports
-------------------------
I honestly don't think pulling all rules under the logcheck-database
umbrella is going to fix this. It *might* help a little, but confusion
about which package to report a bug against is something that effects
the entire project and I don't think there's a silver bullet for it.
We might see some improvement in this area by just making some attempt
to educate people more.
#1: Inconsistent rule quality
-----------------------------
This is the one that seems to be the point of greatest contention. It also
happens to be the one I feel most confident we can improve upon.
Proposition A: Make it easy
#174331 is a wishlist bug from about 2 1/2 years ago requesting macro
support. In it, the submitter provides a patch for adding macro
support to pattern files. Jon Middleton seemed receptive to the idea
at the time, but had the idea that this functionality should go into
dh_installlogcheck.
I'm guessing that what Jon had in mind was the creation of patterns
containing macros that would be translated to proper regex in the
installed file. I think this is good idea.
To that end, I hacked together a little proof-of-concept to show how
that might work.
http://people.debian.org/~eevans/rule-preprocessing/
The file meta-tags is a perl hash that defines the macros. Tags like
@IPV4_ADDR@, @DNS_FQDN@, and @INT@ are mapped to regular expressions
for an IP address, fully qualified hostname, and integer respectively.
A file like rules.in is created that replaces each item in a line of
log output that is variable, with one of the macros from "meta-tags".
The result is something that can be more easily parsed by eye balls,
and can be constructed by people who haven't developed the ability to
think in regex.
Running mkrules substitutes macros for the defined regex, escapes a
few problem characters, strips white space off the end of the line,
then anchors the regex with "$".
In essence we'd be creating a new, more accessible way of writing
rules that created a layer of abstraction to hide the gory details of
regular expressions. Maintainers could write their rules in the new
format and dh_installlogcheck would take care of the hard work when
the package was built.
This would also have the added benefits of creating consistency among
all logcheck rules, and would centralize a great deal of pattern
maintenance.
Proposition B: Communicate
We could open up a dialog with others in the project, starting with
the maintainers of the 50 packages that already supply their own
rules. Among the things we could ask them:
o "Do you use logcheck on any machines you maintain?"
o "Why do you maintain your own rules, is it something that you
are motivated to do, or do you feel compelled to do so?"
[Any developer that felt it more of burden than a joy could be
asked if they were interested in having us take them over]
o "Would you be interested in joining the logcheck team, even if it
where only for the purpose of maintaining the rules that apply to
your other package(s)?"
o "What can we do to make the task easier for you?"
o ...
Comments welcome.
--
Eric Evans
eevans at sym-link.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20050609/f59775ab/attachment.pgp
More information about the Logcheck-devel
mailing list