[Logcheck-users] rule seems to be matching all but last occurrence

Ross Boylan ross at biostat.ucsf.edu
Mon Nov 6 22:29:13 CET 2006 

Every hour I get a mail from logcheck with a line like
Nov  6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux.admin to global expire 50
The strange thing is that syslog is filled with similar lines, but
this is the only one I get in the report.  It is the last such line in
each group:
# many similar lines deleted
Nov  6 12:08:32 wheat fetchnews[13617]: comp.std.c++: considering articles 177500 - 177504 
Nov  6 12:08:34 wheat fetchnews[13617]: comp.std.c++: 5 articles fetched (to 6683), 0 killed
Nov  6 12:08:34 wheat fetchnews[13617]: clamping maxage for tsoft.general to global expire 50
Nov  6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.parallel to global expire 50
Nov  6 12:08:34 wheat fetchnews[13617]: comp.parallel: no new articles 
Nov  6 12:08:34 wheat fetchnews[13617]: clamping maxage for news.announce.newusers to global expire 50
Nov  6 12:08:34 wheat fetchnews[13617]: news.announce.newusers: no new articles 
Nov  6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux to global expire 50
Nov  6 12:08:34 wheat fetchnews[13617]: comp.os.linux: no new articles 
Nov  6 12:08:34 wheat fetchnews[13617]: clamping maxage for comp.os.linux.admin to global expire 50
Nov  6 12:08:34 wheat fetchnews[13617]: comp.os.linux.admin: no new articles 
Nov  6 12:08:36 wheat fetchnews[13617]: wrote active file with 80596 lines
Nov  6 12:08:36 wheat fetchnews[13617]: child has process ID 13638

I have a pattern in ignore.d.server/local:
fetchnews\[[[:digit:]]+\]:
(yes, I know that's sloppy).  

In terms of obvious checks, logcheck.conf has
REPORTLEVEL="workstation"
and
wheat:/etc/logcheck# ls -l ignore.d.server/local 
-r--r--r-- 1 root logcheck 5041 Jun 25  2005 ignore.d.server/local

When I run syslog through egrep with this pattern, it picks out the
line.  The fact that I don't have tons of entries with "clamping
maxage" also suggests it is (mostly) working, since none of the stock
leafnode entries match that.

So, any suggestions how to figure out what is going on?

Thanks.

Ross Boylan

P.S. fetchnews is part of leafnode, which provides its own set of
rules.  Once I get something working, I plan to let them know about
it.  They also have duplicated entries in ignore.d.paranoid and server.

More information about the Logcheck-users mailing list