[Logcheck-users] Thresholds
Keith Edmunds
kae at midnighthax.com
Mon Aug 2 10:42:17 UTC 2010
Apologies if this has been discussed before (the Mailman archives make it
hard to check).
We'd like to be able to implement some kind of threshold filtering. For
example, we may decide that some aborted IMAP login failures are
acceptable, but more than, say, three in ten minutes is not (or even three
in one logcheck run would be a good start).
How practical would it be to hook into logcheck after it has done its
usual filtering but before it sends the mail? It should be relatively
trivial to count how many matches there are to, say, this:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ imap-login: Aborted login
\[[:digit].]*\]$
...and if there are fewer than the threshold number, remove them from the
email being sent. If there are more, send the email as usual.
Anyone done that? Thought about it? Have any suggestions?
Thanks,
Keith
More information about the Logcheck-users
mailing list