1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
.TH logcheck-test 1 "Feb 19, 2010"
.SH NAME
logcheck-test \- test new logcheck rules easily
.SH SYNOPSIS
.B logcheck\-test
.RB [ \-q | \-i ]
.RB [ \-a | \-s | \-l
.IR FILE ]
.RB [ \-e ]
.RB [ \-P
.IR PREFIX ]
.RB [ \-S
.IR SUFFIX ]
.I RULE
.br
.B logcheck\-test
.RB [ \-q | \-i ]
.RB [ \-a | \-s | \-l
.IR FILE ]
.B \-r
.I RULEFILE
.
.SH DESCRIPTION
.B logcheck-test
parses a log file for matching lines specified by a single rule or a rule file. If using a single
.I RULE
you can set a
.I PREFIX
and a
.I SUFFIX
to write new rules easily.
.SH OPTIONS
.TP
.B \-h, \-\-help
Show usage information
.TP
.B \-a, \-\-auth.log
Parse /var/log/auth.log for matching lines
.TP
.B \-s, \-\-syslog
Parse /var/log/syslog for matching lines
.TP
.B \-l, \-\-log\-file FILE
Parse FILE for matching lines
.TP
.B \-i, \-\-invert\-match
Show line that don't match the RULE or the RULEFILE
.TP
.B \-q, \-\-quiet
Suppress rule summary at the end of output
.TP
.B \-e, \-\-surround\-rule
Surround RULE with standard prefix and suffix:
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+
.IR RULE $
.TP
.B \-P, \-\-append\-prefix PREFIX
Append PREFIX to rule prefix. Option can be given multiple times
.TP
.B \-S, \-\-prepend\-suffix SUFFIX
Prepend SUFFIX to rule suffix. Option can be given multiple times
.TP
.B \-r, \-\-rule\-file RULEFILE
Use file RULEFILE for rule input
.SH EXAMPLES
With
.B logcheck-test
you can easily write and test new rules.
.PP
Test a single rule against /var/log/syslog:
.RS
.fam C
logcheck-test \-s "RULE"
.fam T
.RE
.PP
Test a single rule against ~/log, surround the rule with standard prefix and suffix and append "kernel " to prefix:
.RS
.fam C
logcheck-test \-l ~/log \-e \-P "kernel " "RULE"
.fam T
.RE
.PP
Test the rules in rulefiles/linux/ignore.d.server/kernel against ~/log:
.RS
.fam C
logcheck-test \-l ~/log \-r rulefiles/linux/ignore.d.server/kernel
.fam T
.RE
.PP
Test which lines the rules in rulefiles/linux/ignore.d.server/kernel doesn't match:
.RS
.fam C
logcheck-test \-l ~/log \-r rulefiles/linux/ignore.d.server/kernel \-i
.fam T
.RE
.SH "EXIT STATUS"
On successful matching
.B logcheck-test
will complete with exit code 0. An exit code of 1 indicates no successful matching.
.PP
An exit code greater then 1 indicates an error occurred. Textual errors are written to the standard error stream.
.SH "SEE ALSO"
\fBlogcheck\fR(8)
.SH "AUTHOR"
logcheck is developed by Debian logcheck Team at:
https://salsa.debian.org/debian/logcheck. This manual was written by Hannes von Haugwitz <hannes@vonhaugwitz.com>.
|
