Using negative logic for logcheck rules

Question

I want to filter a log file using logcheck, but instead of setting rules for the log messages I want to ignore, I would like to define rules just for the ones that I want to receive in my inbox. Is it possible to do somehting like that using negative logic (like egrep -v)?

There is a negative lookahead in regex, if that's what you are looking for — Laurent Mouchart, Jun 01 '18 at 08:52

score 0 · Answer 1 · answered Jun 01 '18 at 08:55

0

This Regex [^abc] equals not a, b, or c

answered Jun 01 '18 at 08:55

Laurent Mouchart

216
1
3
13

Well I guess that's correct, but it's likely to be terribly unpractical to match whole log lines. For example if you want to match any line but `admin` with character classes you need something like `^([^a]|a[^d]|ad[^m]|adm[^i]|admi[^n])` – Aaron Jun 01 '18 at 09:01
You're right, but that regex applies to the characters individually, what I'm looking for is negating a whole regex, something like this: '^(hello|bye)', which should return all the lines whithout the words hello or bye, but isn't working. – pitazzo Jun 01 '18 at 09:02
Looks like you're looking for the negative lookahead syntax you mentionned in comments, which is `(?!hello|bye)`. However, I'm far from sure it will be supported by logcheck (it's not implemented by ERE nor BRE, the two basic regex implementations in Linux ; it's implemented in PCRE though, which is sometimes also available) – Aaron Jun 01 '18 at 09:05
@pitazzo maybe this will help [https://stackoverflow.com/questions/406230/regular-expression-to-match-a-line-that-doesnt-contain-a-word/406408#406408](https://stackoverflow.com/questions/406230/regular-expression-to-match-a-line-that-doesnt-contain-a-word/406408#406408) – Laurent Mouchart Jun 01 '18 at 09:05

score 0 · Answer 2 · answered Mar 22 '19 at 16:20

I can't give great examples, but I believe you can ignore everything and then list the patterns you want flagged in either the violations.d or cracking.d directories.

So in ignore.d.server, remove all files, create a single file containing '^.' Define patterns in violations.d

You can create a separate config directory for this, copying all of the /etc/logcheck contents to a new directory, editing logcheck.conf to list the correct RULEDIR, and then test with a command something like:

sudo -u logcheck logcheck -c /tmp/logcheck/logcheck.conf -o -t

Using negative logic for logcheck rules

2 Answers2