Re: [cobalt-users] Logcheck

[Jay Summers <jay@xxxxxxxxxxxxxxxxxxxxx>]

> I have finally got around to installing logcheck, and it did
> install fine, and I can run it from the command prompt, no problem.  My
> problem arises when I get the logcheck file emailed to me.  I am running
> this on a Qube 3.  The Qube3 has about 75 users at the moment, and one
> department insists on checking mail every 1 minute (they annoy me, about
> 15 people).  So needless to say I have huge files, and logcheck
> considers it a "Unusual System Event" Everytime someone checks mail.
> Can anyone suggest a way to still get the most use out of logcheck, but
> the least amount of garbage.  I am essentially just getting the whole
> log file emailed to me, very difficult to read throught cause it is so
> large.  Suggestions on what to do would be greatly appreciated.  Sample
> of the log file is below:
<log snip>
> Dec 14 04:03:01 mail in.qpopper[18287]: (v?) POP login by user "user3"
> at (XXX.XXX.XX.XX) XXX.XXX.XX.XX

Jeez, tell them to stop checking every minute. That's a load on you server.
They *have* to check every 1 minute???

Well, if you want to stop getting it in your logcheck emails you can add it
to the logcheck.ignore file. Mine is in /usr/local/etc/logcheck.ignore.

Beware of false positives. You don't want to remove things from your
logcheck emails that you might need to see.

> Also everytime Monitor runs it gets recorded also, anyway to
> take this out also, or shouldn't I.

The active monitor stuff is really useless. You can definitely get rid of
that without worry. I use something like this:

proftpd.*- no such user 'active_monitor'
proftpd.*: www.mydomain.net \(www.mydomain.net\[111.111.111.111\]\) - FTP
session opened.
proftpd.*: www.mydomain.net \(www.mydomain.net\[111.111.111.111\]\) - FTP
session closed.

This is line wrapping in my Outbreak Express, so be sure that each line
beginning with proftpd is all on one line. YMMV.

HTH,
j
-- 
http://www.bizmanuals.com