Is there a notification system for Journalctl

Hello,

I am fairly new to Linux and decided a couple of months ago to use Manjaro as the OS of my choice.

The last couple of weeks I read a few articles about systemd and journalctl and realized how crucial it is to regularly look at the logs to effectively manage and maintain my system.

This leads me to constantly ask myself, if there is a more sane way to analyze logs. Specifically, I would expect a component to exist, which monitors journalctl and notifies me upon suspicious entries (i.e. about hardware or logon attempts), which require special attention.

While reading this forum and others I stumbled across The-Compiler/journalwatch, pentix/qjournalctl and other rather outdated projects. Isn't there a popular monitoring and notification system which is capable of aggregating log entries? In order to not miss them it would also be nice if it could e-mail me about incidents or at least use the XFCE notification system to pop them up.

My NAS has this capability (Synology), so I thought that it would be a really good idea to have something similar on my computers. Or am I missing something and is it perhaps a bad idea to work with logs in this way?

This level of intelligence is not yet accomplished by Artificial Intelligence.
Human is still more capable of PCs. This maybe a good thing for us.

The best you can do for now is check (yourself) this report (or study more about Linux/systemd)

journalctl -b -p3

For explanation/reasoning check the manual

man journalctl

Get prepared (I hope not, but..) for several answers joking. Don't listen to them! :slight_smile:

3 Likes

Would we pull anyone's leg? :smiley:

Basic principle, if it works, ignore the logs, if it doesn't...

1 Like

On ubuntu i have logwatch that send me a mail every day with a small report of what happend.

1 Like

I don't know of any popular program doing that, but it shouldn't be very difficult to create a simple service or a timer unit to watch the journal and act on specific entries. This is a job you must do yourself.

I configured journalctl to output its messages to TTY12.
By pressing Ctrl-Alt-F12 you can then switch to that console to read the last messages.
Another alternative is to run journalctl -b -f (-f for "follow").

1 Like

Not what I wanted to hear - perhaps what I needed to hear :\

No Idea how I missed this project, will definitely give a try today :slight_smile:

1 Like

I integrate it in my conky setup:
${execpi 3 journalctl -n5}

...now, 3 seconds delay is slow enough to see if something is immediately amiss (-n5 will show the last 5 lines.) You can also pipe the output into awk to further modify the output, playing with different colors for the timestamp versus the rest of the line. Sometimes it's a bit verbose considering the audit integration since kernel 4.18, but perhaps there's a way for awk to filter out audit entries, idk.:thinking:

2 Likes

I'm just run journalctl -b -p3 on fresh installed system and see

Feb 13 16:35:21 home-laptop kcheckpass[2568]: pam_tally(kde:auth): Error opening /var/log/faillog for update
Feb 13 16:35:21 home-laptop kcheckpass[2568]: pam_tally(kde:auth): Error opening /var/log/faillog for read
Feb 13 16:35:21 home-laptop kcheckpass[2568]: pam_tally(kde:setcred): Error opening /var/log/faillog for update
Feb 13 16:35:21 home-laptop kcheckpass[2568]: pam_tally(kde:setcred): Error opening /var/log/faillog for update

Should i do Suppress error messages related to kcheckpass failling to open its logfile ?

I accept logwatch as a solution

  • The project seems to be alive
  • It aggregates nicely the log files
  • It is highly configurable
  • and it send a summary as e-mail

I feel that this is a good solution to get more familiar with what happens everyday and it makes me feel in control of my system.

However, I am already looking into ways to integrate the results into Conky. Tried this, but the messages seem to be too verbose (or my screen to small) :slight_smile::

I will work with logwatch for now, bearing in mind that the full truth is only available in journalctl. So remember:

Thanks guys! It was really fun exploring this topic and mostly I feel like I have been pushed into the right direction by the community!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by