-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
32 lines (25 loc) · 1.6 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
The typical use of the piperlog and logmerge packages is to regularly provide
summaries of the system logs by email. The packages don't force a default
setup for this, so here's a example.
First, we need to produce the file of patterns to ignore. This can be produced
from an existing logcheck installation. It uses the "discard" file in
/etc/piperlog/discard to get rid of logcheck patterns that you don't want.
piper:~# piperlog-mkignore > /etc/piperlog/ignore
We add a new user, initialise the "offsets" file which tells logmerge where to
start reading the logs from (and which logs to read) and set up a cron job to
generate the summaries.
piper:~# adduser --system --ingroup adm piperlog
Adding system user `piperlog'...
Adding new user `piperlog' (101) with group `adm'.
Creating home directory `/home/piperlog'.
piper:~# logmerge-mkoffsets /var/log/auth.log /var/log/syslog > /var/lib/logmerge/offsets
piper:~# chown -R piperlog.adm /var/lib/logmerge/
piper:~# crontab -e -u piperlog /etc/piperlog/ignore
5 */4 * * * (REPLYTO=sysmans@example.com; export REPLYTO; logmerge | piperlog | mail -s "some.example.com log summary at `date`" mrlogreader@example.com)
Minor points:
- piperlog uses pcre "Perl compatible" regular expressions (see
pcrepattern(1)) rather than egrep "extended" regular expressions.
There are few differences. I found that the \< and \> word end sequences
are not present, and repetitions are fussy about the preceeding part of
the regexp (eg., r+{2,3} is not allowed). In the logcheck rules I looked
at these were only used by mistake, so they don't matter.