[Logcheck-devel] Re: [Logcheck-commits] r1172 - in logcheck/trunk: debian rulefiles/linux/ignore.d.server
Todd Troxell
ttroxell at debian.org
Thu Jul 27 01:43:40 UTC 2006
On Wed, Jul 26, 2006 at 09:40:16AM +0100, martin f krafft wrote:
> also sprach Todd Troxell <ttroxell at debian.org> [2006.07.26.0358 +0100]:
> > > * ignore.d.server/kernel: ignore interface link status changes.
> > > If they are important, we would not be able to get mail about
> > > them anyway.
> >
> > I'm not completely convinced that this is a good idea. This kind
> > of activity could indicate tampering or equipment failure. Are
> > you getting this message regularly?
>
> In retrospect, I think I will have to agree with you, but I wonder
> whether it's logcheck's job to point this out. I suppose I should
> revert that change... I am getting the message often but that's
> because one of my servers is actually a laptop on a wireless link.
> :)
Aha! :)
WRT logcheck's job, I think this fits because it is anomalous on a
"standard" system. At least, I think this will provide the greatest benefit
to most logcheck users.
> I'll leave the filter for link status "up", but will remove the
> "down" one. By logic of link status, they always come in pairs or
> not at all. :)
Cool, works for me.
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list