Adding an exclusion to violations.ignore.d causes matching lines to not
show up at all. The same applies to cracking.ignore.d. As a result,
important message my be inadvertentlly missed.
For example, suppose you have a program that outputs:
This is a failure test
This would show up a a SECURITY event. It isn't really a SECURITY
event, so you exclude it in violations.ignore.d. Now it does not show
up as a SECURITY event, but it also does not show up as a SYSTEM event.
That behavior is not what I would expect. I could potentially be missing
important events.
It is easy to test:
logger -p kern.notice This is a failure test
run logcheck
You will get an email showing a SECURITY event.
Add "This is a failure test" to a file in violations.ignore.d.
logger -p kern.notice This is a failure test
run logcheck
You will not get any notification of the event.
I cannot off the top of my head think of an easy fix. I for one would
MUCH rather have duplicate messages than risk missing something
important.