It would help with debugging to have an option that causes logcheck to
always look through the entire log file, ie not using logtail.

Greetings
Marc

A couple related things occurred to me, perhaps these can just be
described in README{,.Debian}.

 1. How to filter an already-filtered email with a new rule, to see if
    it matches (to first order that just does |grep -xEvf
    /etc/logcheck/..., but that should also take into account the
    violations and their exceptions).  logcheck --stdin or something.

 2. How to filter many emails (1 per hour * 16 hours) through a given
    filter, perhaps as a test or a temporary measure (if something is
    known, understood and perhaps fixed, and additional log lines
    don't add any useful information and just act as clutter).
    |formail -ds grep -xEvf /tmp/filter |formail -ds procmail

 3. How to filter the logfiles themselves again, starting at a given
    point.  Probably best if logcheck supports this itself, to handle
    rotation, but can probably be mediated with something like: sed
    -sn '/^Xyz 12 34:56:78/,$p' /var/log/{sys,auth.} | logcheck
    --stdin, as soon as 1. is implemented.

tags 491127 help
thanks

also sprach Marc Haber <mh+debian-bugs@zugschlus.de> [2008.07.16.2215 +0100]:

Patches welcome.

get a mail with a log message from 10:55 that is not yet covered by the
rule. The stamp gets updated to 11:00.

I now fix the rule that should have filtered the message. logcheck -t
will still only start checking a 11:00, so the test run will not prove
that the change has actually filtered the message from 10:55.

Does this make the usecase clear?

Greetings
Marc

P.S. Thanks for doing bug triage.

Does logcheck-test help with that?