[Logcheck-devel] Bug#508138: logcheck: loglines leakage

Tue Dec 9 09:36:51 UTC 2008

* Paolo <oopla at users.sf.net> [2008-12-08 09:43:01 CET]:
> seems that somehow logcheck fails to filter out some lines, eg i get this 
> warning:
> 
> Security Events
  ^^^^^^^^^^^^^^^
> =-=-=-=-=-=-=-=
> daemon.info: Dec  7 21:13:47 smartd[9668]: Device: /dev/hdb, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 100 to 99
> daemon.info: Dec  7 21:43:48 smartd[9668]: Device: /dev/hdb, SMART Prefailure Attribute: 1 Raw_Read_Error_Rate changed from 99 to 100
> 
> however:
> 
> # grep -h '21:13:4[78]' /var/log/socklog/main/* | egrep -v -f /etc/logcheck/ignore.d.server/smartd
                                                                              ^^^^^^^^^^^^^^^
 ignore.d.server rules won't filter out security events. I guess it's
matched as such because of the contained /failure/ in the line. I'm not
completely sure if this should be filtered out, but a matching rule for
that has to live below violations.ignore.d - and there is the
logcheck-smartd file in there which as far as I can see should match ...

> so the patterns in /etc.../smartd do match and logcheck run should end up 
> with no such lines.

 Can you egrep -v -f /etc/logcheck/ignore.d.server/smartd instead and
see if the Prefailure Attribute line does show up for you? From what I
can see it shouldn't ...

 Thanks,
Rhonda