====== Logcheck Tweeks ======

===== RSyslogd =====

The rsyslogd syslog entries as follows will cause the default install of logcheck to trip:

<file>
Sep 18 06:25:01 zcn1 kernel: imklog 3.18.6, log source = /proc/kmsg started.
Sep 18 06:25:01 zcn1 rsyslogd: [origin software="rsyslogd" swVersion="3.18.6" x-pid="2097" x-info="http://www.rsyslog.com"] restart
</file>

and therefore it's best to add the following lines to /etc/logcheck/ignore.d.server/rsyslogd to ignore them:

<file>
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
</file>

===== SSHD =====

SSH logs information regarding connections, connection attempts and disconnects. The default config for SSHD checks doesn't account for disconnects properly (whether intensional or not it gets on my nerves). So to ignore log entries such as:

<file>
Sep 13 15:49:35 zmn1 sshd[6393]: Received disconnect from 81.13.159.17: 11: disconnected by user
</file>

add the following to /etc/logcheck/ignore.d.server/ssh

<file>
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: Received disconnect from 81.13.159.17: 11: disconnected by user
</file>

just make sure to change 81.13.159.17 to the address that you mostly use to access the machine. That way you still get informed of disconnects from other addresses.

===== CRM/Corosync/Pacemaker/Heartbeat =====

To be honest, these logentries will drive you crazy if you aren't carefull. So to ignore log entries such as:

<file>
Oct  7 17:47:33 bps1 crmd: [456]: info: do_cib_control: CIB connection established
Oct  7 17:47:33 bps1 crmd: [456]: info: crm_cluster_connect: Connecting to OpenAIS
</file>

add the following to /etc/logcheck/ignore.d.server/corosync

<file>
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ attrd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cib: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crmd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ crmd: \[[0-9]+\]: notice: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]: .* info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [TOTEM ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [MAIN  ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [SERV  ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ corosync\[[0-9]+\]:   [pcmk  ].*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ logd: \[[0-9]+\]: debug: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ logd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ lrmd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ lrmd: \[[0-9]+\]: WARN: G_SIG_dispatch: Dispatch function for SIGCHLD was delayed .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pengine: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pengine: \[[0-9]+\]: notice: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pingd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stonithd: \[[0-9]+\]: info: .*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ stonithd: \[[0-9]+\]: notice: .*$
</file>