You are not logged in.
- Topics: Active | Unanswered
#1 2008-04-23 04:48:39
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,223
- Website
logwatch ignore.conf not working
Hi all,
I've got logwatch running on one of my boxes, which is also running NTP... Which throws a whole heap of entries in to my logs about adjusting the local clock such as:
Apr 23 15:35:37 lapp ntpd[2945]: adjusting local clock by 0.217558s
I have told logwatch to ignore these entries by modifying ignore.conf:
fukawi2 ~ $ cat /etc/logwatch/conf/ignore.conf
^[A-Z]\{1\}[a-z]\{2\}[ ]\{1,3\}[0-9]\{1,2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\} lapp ntpd\[[0-9]\{4\}]: adjusting local clock by -*[0-9]\{1,5\}.[0-9]\{6\}s
adjusting local clock by -*[0-9]\{1,5\}.[0-9]\{6\}s
The regex is correct:
fukawi2 ~ $ sudo grep -f /etc/logwatch/conf/ignore.conf /var/log/everything.log | head
Apr 20 00:04:40 lapp ntpd[2964]: adjusting local clock by -3366.334204s
Apr 20 00:07:53 lapp ntpd[2964]: adjusting local clock by -3366.319881s
Apr 20 00:09:00 lapp ntpd[2964]: adjusting local clock by -3366.275946s
Apr 20 00:12:14 lapp ntpd[2964]: adjusting local clock by -3366.231390s
Apr 20 00:15:25 lapp ntpd[2964]: adjusting local clock by -3366.173226s
Apr 20 00:19:48 lapp ntpd[2964]: adjusting local clock by -3366.135475s
Apr 20 00:22:29 lapp ntpd[2964]: adjusting local clock by -3366.106383s
Apr 20 00:24:37 lapp ntpd[2964]: adjusting local clock by -3366.069773s
Apr 20 00:27:20 lapp ntpd[2964]: adjusting local clock by -3366.039979s
Apr 20 00:29:35 lapp ntpd[2964]: adjusting local clock by -3366.032703s
But I still get hundreds of these entries in my daily logwatch email 
--------------------- XNTPD Begin ------------------------
**Unmatched Entries**
adjusting local clock by -3314.495262s: 1 time(s)
adjusting local clock by -3322.181234s: 1 time(s)
adjusting local clock by -3325.820765s: 1 time(s)
adjusting local clock by -3318.454042s: 1 time(s)
adjusting local clock by -3319.596601s: 1 time(s)
adjusting local clock by 0.268634s: 1 time(s)
adjusting local clock by -3313.718419s: 1 time(s)
adjusting local clock by -3322.058501s: 1 time(s)
<-- SNIP -->
I believe I'm doing the right thing since I read the /usr/share/logwatch/HOWTO-Customize-LogWatch file which states:
ignore.conf: This file specifies regular expressions that, when matched by the output of logwatch, will suppress the matching line, regardless of which service is being executed.
You can customize the output of logwatch by modifying variables in the /etc/logwatch/conf directory.
Does anyone have any ideas? 
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#2 2008-04-29 00:18:16
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,223
- Website
Re: logwatch ignore.conf not working
OK, after looking in to this... It seems that Regex is NOT accepted in the ignore.conf file. Adding the line "adjusting local clock by" by itself to the file then makes the script ignore those lines.
Is this an upstream issue or did the file that says regex patterns are matched come from Arch?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline