Man page - logcheck-test(1)

Packages contains this manual

Package:  logcheck
apt-get install logcheck

Manuals in package:
• logcheck-test(1)
• logcheck(8)
Documentations in package:
• logcheck

Manual

logcheck-test

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLES
EXIT STATUS
SEE ALSO
AUTHOR

---

NAME

logcheck-test - test new logcheck rules easily

SYNOPSIS

logcheck-test [ -q | -i ] [ -a | -s | -l FILE ] [ -e ] [ -P PREFIX ] [ -S SUFFIX ] RULE
logcheck-test [ -q | -i ] [ -a | -s | -l FILE ] -r RULEFILE

DESCRIPTION

logcheck-test parses a log file for matching lines specified by a single rule or a rule file. If using a single RULE you can set a PREFIX and a SUFFIX to write new rules easily.

OPTIONS

-h, --help

Show usage information

-a, --auth.log

Parse /var/log/auth.log for matching lines

-s, --syslog

Parse /var/log/syslog for matching lines

-l, --log-file FILE

Parse FILE for matching lines

-i, --invert-match

Show line that don’t match the RULE or the RULEFILE

-q, --quiet

Suppress rule summary at the end of output

-e, --surround-rule

Surround RULE with standard prefix and suffix:

ˆ[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]-]+ RULE $

-P, --append-prefix PREFIX

Append PREFIX to rule prefix. Option can be given multiple times

-S, --prepend-suffix SUFFIX

Prepend SUFFIX to rule suffix. Option can be given multiple times

-r, --rule-file RULEFILE

Use file RULEFILE for rule input

EXAMPLES

With logcheck-test you can easily write and test new rules.

Test a single rule against /var/log/syslog:

logcheck-test -s "RULE"

Test a single rule against ˜/log, surround the rule with standard prefix and suffix and append "kernel " to prefix:

logcheck-test -l ˜/log -e -P "kernel " "RULE"

Test the rules in rulefiles/linux/ignore.d.server/kernel against ˜/log:

logcheck-test -l ˜/log -r rulefiles/linux/ignore.d.server/kernel

Test which lines the rules in rulefiles/linux/ignore.d.server/kernel doesn’t match:

logcheck-test -l ˜/log -r rulefiles/linux/ignore.d.server/kernel -i

EXIT STATUS

On successful matching logcheck-test will complete with exit code 0. An exit code of 1 indicates no successful matching.

An exit code greater then 1 indicates an error occurred. Textual errors are written to the standard error stream.

SEE ALSO

logcheck (8)

AUTHOR

logcheck is developed by Debian logcheck Team at: https://salsa.debian.org/debian/logcheck. This manual was written by Hannes von Haugwitz <hannes@vonhaugwitz.com>.

---