[Logcheck-devel] Bug#443171: Bug#443171: rules to ignore acpid messages
Hanspeter Kunz
hkunz at ifi.uzh.ch
Fri Sep 21 07:53:11 UTC 2007
On Thu, 2007-09-20 at 23:13 +0100, martin f krafft wrote:
> also sprach Hanspeter Kunz <hp at edelkunz.ch> [2007.09.20.1415 +0100]:
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: received event
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: notifying client
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: executing action
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: action exited with status 0$
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: completed event
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: client connected from
> > ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ acpid: [0-9]+ client rule.* loaded$
> >
> > They ignore pretty everything, unless there is an error.
> >
> > The first line ignores all kind events (battery, lid, power, hkey). Or
> > are there acpi event that should trigger logcheck?
>
> Thanks! In general, I don't think logcheck should let any acpid
> messages pass, so this should be okay.
Ok.
> I am missing information about where these filters go, but I'll
> assume ignore.d.server/acpid.
That's right.
> Also, you might want to have a look at
> http://wiki.logcheck.org/index.cgi/RuleSubmission
>
> for future submissions. Specifically, we don't really want rules
> that don't cover the whole line and do not end with $. And in
> between, the filter should be as specific as possible.
Well, if I want to have a rule, that is triggered just by the beginning
of the log line (e.g. rules 1,2,3,5,6 above) no matter what follows, it
would be a bad idea to add ".*$" just to have a $ at the end, as this is
computationally more expensive (and logcheck uses already enough cpu
power).
It is a good thing to have rules that are as specific as possible. But
they should only be as specific as needed, don't you agree? (or am I
missing something here?)
The rules above are unspecific (to some extent) because it is their
purpose to match to a lot of cases. So, there is really no need to be
more specific. If so, many more rules would be necessary (which is again
not helpful for logchecks performance).
cheers,
Hp.
More information about the Logcheck-devel
mailing list