The Default cron setup is:
2 * * * * logcheck if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
This is extremely too often. Getting huge number of mail every two
hours is filling in the mailboxes.
A more appropriate default would be every 24h (once a day).
Actually, it is every hour (at x:02). But if logcheck is sending you crap every hour, you need better rules, not a lazier schedule. That'd be like unplugging your smoke detector instead of moving it further from the kitchen. Could you file bug reports for the messages that are getting through? I can't speak for other people, but when I was sysadmin, I wanted to be informed of any problems *now*, not the day after.
Frédéric Brière <fbriere@fbriere.net> writes: IMO, getting the mail once a day instead of once an hour turns an annoying reminder that you need to fix your rules into a huge message that no one will bother reading. So in short I agree.
Frédéric Brière <fbriere@fbriere.net> wrote: I quite agree. Hannes
also sprach Frédéric Brière <fbriere@fbriere.net> [2009.08.21.0214 +0200]: On all of my machines, puppet changes that line to "*/5 * * * *" so that my logcheck runs every five minutes. I think this is suboptimal. I'd like the next generation of logcheck to be a daemon scaping the syslog socket and be able to react immediately.
Frédéric Brière <fbriere@fbriere.net> writes: If logcheck is installed in NN (where NN is two digit number) Debian servers, those messages pile up pretty quickly. We must also keep in mind the extra burden the logcheck puts on system when it scan logs with heavy regular expressions. It is reasonable to expect that a "server" installation ships with defaults that are sane and not extreme (any less that 12h is in my book extreme). Getting reports at 24h intervals is quite is enough to act on work-day 8.00-17.00 hours. To put things in perspective, it can be argued that messages from IDS systems or smartmond are much more important than logchecks; and they do come when error is detected. Please ship with 24h, which would be more appropriate and expected default. Jari
also sprach Jari Aalto <jari.aalto@cante.net> [2009.08.21.1801 +0200]: Please help write filters to prevent them. Yes, logcheck is a hog. Regexp macros, a regexp compiler, and ideally a new code base would fix that. Then you get one huge message and the chance of overlooking something is larger IMHO. I doubt we will change the default, but I am sure we would accept patches that added a debconf question about the periodicity of logcheck runs.
It is lot easier to look at one mail:
- Search
- filter (procmail or MUA means)
- Forward to another admin for further look
(people responsible for are XXXX, YYY ...)
- delete or archibe mail with one command
It is a nuissance to have to deal with multiple mails. The default of 2
is too extreme.
Jari
also sprach Jari Aalto <jari.aalto@cante.net> [2009.08.22.1840 +0200]: That way, I can easily file things as I do them, and can forward only specific things to specific people. Searching and archiving/deleting are not an issue as my MUA allows me to do that across mailboxes with hundreds of files. The only way forward I see is via a debconf question. I would like a higher periodicity, and you want a lower one: unless there's a way to pass on the decision to the admin, the package won't change. Patches welcome. Sorry.