0

I am using logcheck to monitor my raspberry pi opened on the internet. Since debian 12 bookworm, most of the log files are no more in /var/log, but instead gathered in journal of systemd. I would like to test my rules on the journal, but I am unable to find the command.

I was previously using commands like :

egrep -f /etc/logcheck/ignore.d.server/local-rules /var/log/*

or

logcheck-test -l /var/log/* -r /etc/logcheck/ignore.d.server/local-rules

Does someone knows how to do this on the journal of systemd?

thdox
  • 101

1 Answers1

0

What I found so far as equivalent are:

sudo journalctl | egrep -f /etc/logcheck/ignore.d.server/local-rules

or

sudo journalctl > /tmp/journal ; sudo logcheck-test -l /tmp/journal -r /etc/logcheck/ignore.d.server/local-rules

or

sudo journalctl -u ssh > /tmp/journal1 ; sudo logcheck-test -l /tmp/journal1 -r /etc/logcheck/ignore.d.server/ssh -i > /tmp/journal2 ; sudo logcheck-test -l /tmp/journal2 -r /etc/logcheck/ignore.d.server/local-rules -i
thdox
  • 101