Compacted Logwatch Mod

Recently, I ran into the VMWare / rtc: lost some interrupts issue which was "spamming" my logs. This caused two problems. The first, which was more of an annoyance, was having huge (tens to hundreds of MBs) log files. The other was that these huge log files were making LogWatch bomb out as follows:


/etc/cron.daily/00logwatch:
postdrop: warning: uid=0: Illegal seek
sendmail: fatal: root(0): queue file write error


By default, LogWatch rolls up identical kernel messages and displays them like this:

8 Time(s): rtc: lost some interrupts at 2048Hz.


However, under Ubuntu 6.10 and 7.04 (and perhaps other versions, as well as in other distros), the log messages look like:

[1123387.327543] rtc: lost some interrupts at 2048Hz.
[1123387.347538] rtc: lost some interrupts at 2048Hz.


which LogWatch "rolls up" as:

1 Time(s): [1123387.327543] rtc: lost some interrupts at 2048Hz.
1 Time(s): [1123387.347538] rtc: lost some interrupts at 2048Hz.


Not. Very. Helpful.


To get around this, so that even if the VMWare-rtc stuff (or anything else) spams my logs, the resulting LogWatch will still be small enough to be generated and mailed to me without boming-out, I changed my /usr/share/logwatch/scripts/services/kernel script file as follows:

 while (defined(my $ThisLine = <STDIN>)) {
    chomp($ThisLine);
    next if ($ThisLine eq '');

+   if ($ThisLine =~ /^\s*\[\s*\d+\.\d+\] (.*)$/) {
+      $ThisLine = "[*.*] " . $1;
+   }

    if (
       # filter out audit messages - these should be parsed by the audit
       # service

Now, if my logs get spammed, LogWatch will simply report:


361 Time(s): [*.*] rtc: lost some interrupts at 2048Hz.