rsyslogd high precision timestamps and logcheck

After commenting out the default traditional rsyslogd format ($ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat) I noticed that none of the logcheck ignores will work.

To fix it, simply:

cd /etc/logcheck/ &&
( [ ! -e '/var/backups/logcheck.d.tar.gz' ] || \
  { echo 'err: backups already made'; exit 1;} ) && \
tar cfzv /var/backups/logcheck.d.tar.gz cracking.d cracking.ignore.d \
    ignore.d.paranoid ignore.d.server \
    ignore.d.workstation violations.d violations.ignore.d && \
find cracking.d \
    cracking.ignore.d \
    ignore.d.paranoid \
    ignore.d.server \
    ignore.d.workstation \
    violations.d \
    violations.ignore.d \
  -type f \
  -exec sed -i \
    -e 's/^\^\\w{3} \[ :\(0-9\|\[:digit:\]\)\]{11}/^[0-9T:+.-]+/' {} \;

Basically you can/should reuse the pattern matching hostname/fqdn, but only replace the timestamp matching with a simpler one.

Note: this only works for me, no guarantees.

EDIT: 2012-07-20: Added support for [:digit:] used by some ignore.d files.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: