Bug#241526: [Logcheck-devel] Bug#241526: logcheck: Logcheck ignoring by number of occurrences
Todd Troxell
ttroxell at debian.org
Fri Jan 6 14:34:20 UTC 2006
Hey Erich,
On Thu, Jan 05, 2006 at 12:30:33AM +0100, Erich Schubert wrote:
> Hi,
> I'd also like to be able to ignore messages unless they occur too often,
> and maybe group certain messages when they occur very often.
>
> A typical example is
> postfix/smtp: connect to mx3.mail.yahoo.com[64.156.215.18]: read timeout
> (port 25)
>
> Oh my god! This really is critical information, isn't it?
> Well, when your server has like dozens of them it probably means
> something is broken with your network connectivitiy; then it's useful to
> know. As long as there are only single of these messages, they should
> just be ignored...
>
> Similarly:
> grouping them by the number of hits - like dicitionary attacks.
> For dictionary attacks, only the first and last attempt is that
> interesting that I'd like to see it in the logcheck result; if I need
> the complete data I can still access the original logfile.
While I'm generally opposed to adding this complexity to logcheck, (There's
not really a simple implementation given the way we use egrep.) I'm not
opposed to optionally doing things like this in post-processing. I've added
a note to the IdeaPool[0] about this.
[0] http://wiki.logcheck.org/index.cgi/IdeaPool
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list