[Logcheck-commits] r1624 - in logcheck/trunk: . debian docs src
zugschlus at users.alioth.debian.org
zugschlus at users.alioth.debian.org
Tue Aug 7 12:41:19 UTC 2007
Author: zugschlus
Date: 2007-08-07 12:41:19 +0000 (Tue, 07 Aug 2007)
New Revision: 1624
Added:
logcheck/trunk/debian/logtail2.docs
logcheck/trunk/debian/logtail2.files
logcheck/trunk/debian/logtail2.preinst
logcheck/trunk/debian/logtail2.prerm
logcheck/trunk/docs/logtail2.8
logcheck/trunk/src/detectrotate/
logcheck/trunk/src/logtail2
Modified:
logcheck/trunk/Makefile
logcheck/trunk/debian/changelog
logcheck/trunk/debian/control
logcheck/trunk/debian/rules
logcheck/trunk/docs/README.logtail
logcheck/trunk/src/logcheck
Log:
merge Zugschlus changes from branch
prepare upload
add myself to uploaders
Modified: logcheck/trunk/Makefile
===================================================================
--- logcheck/trunk/Makefile 2007-08-04 16:02:42 UTC (rev 1623)
+++ logcheck/trunk/Makefile 2007-08-07 12:41:19 UTC (rev 1624)
@@ -2,6 +2,7 @@
CONFDIR = etc/logcheck
BINDIR = usr/sbin
+SHAREDIR = usr/share/logtail/detectrotate
install:
# Create the directories
@@ -9,6 +10,7 @@
install -d $(DESTDIR)/var/lib/logcheck
install -d $(DESTDIR)/usr/sbin
install -d $(DESTDIR)/var/lock/logcheck
+ install -d $(DESTDIR)/$(SHAREDIR)
install -m 2750 -d $(DESTDIR)/$(CONFDIR)/ignore.d.paranoid
install -m 2750 -d $(DESTDIR)/$(CONFDIR)/ignore.d.workstation
@@ -21,6 +23,10 @@
# Install the scripts
install -m 755 src/logcheck $(DESTDIR)/$(BINDIR)/
install -m 755 src/logtail $(DESTDIR)/$(BINDIR)/
+ install -m 755 src/logtail2 $(DESTDIR)/$(BINDIR)/
+ install -m 755 src/detectrotate/10-savelog.dtr $(DESTDIR)/$(SHAREDIR)/
+ install -m 755 src/detectrotate/20-logrotate.dtr $(DESTDIR)/$(SHAREDIR)/
+ install -m 755 src/detectrotate/30-logrotate-dateext.dtr $(DESTDIR)/$(SHAREDIR)/
# Install the config files
install -m 640 etc/logcheck.logfiles $(DESTDIR)/$(CONFDIR)
Modified: logcheck/trunk/debian/changelog
===================================================================
--- logcheck/trunk/debian/changelog 2007-08-04 16:02:42 UTC (rev 1623)
+++ logcheck/trunk/debian/changelog 2007-08-07 12:41:19 UTC (rev 1624)
@@ -1,3 +1,14 @@
+logcheck (1.2.59) experimental; urgency=low
+
+ * add logtail2
+ * handles log rotation internally (with a plugin scheme)
+ * supports dateext rotation
+ * logcheck now uses logtail2
+ * the "normal" logtail is deprecated and will be removed shortly
+ * Add myself to uploaders. Thanks for allowing me to join.
+
+ -- Marc Haber <mh+debian-packages at zugschlus.de> Tue, 07 Aug 2007 14:39:49 +0200
+
logcheck (1.2.58) unstable; urgency=low
* ignore.d.server/procmail: ignore write errors from procmail.
Modified: logcheck/trunk/debian/control
===================================================================
--- logcheck/trunk/debian/control 2007-08-04 16:02:42 UTC (rev 1623)
+++ logcheck/trunk/debian/control 2007-08-07 12:41:19 UTC (rev 1624)
@@ -2,7 +2,7 @@
Section: admin
Priority: optional
Maintainer: Debian logcheck Team <logcheck-devel at lists.alioth.debian.org>
-Uploaders: Todd Troxell <ttroxell at debian.org>, Gerfried Fuchs <alfie at debian.org>, Eric Evans <eevans at debian.org>, martin f. krafft <madduck at debian.org>
+Uploaders: Todd Troxell <ttroxell at debian.org>, Gerfried Fuchs <alfie at debian.org>, Eric Evans <eevans at debian.org>, martin f. krafft <madduck at debian.org>, Marc Haber <mh+debian-packages at zugschlus.de>
Standards-Version: 3.7.2
Build-Depends: debhelper (>= 4.1.13), po-debconf
Build-Depends-Indep: docbook-to-man
@@ -10,7 +10,7 @@
Package: logcheck
Architecture: all
-Depends: adduser, debconf, grep (>= 2.5.1-1), exim4 | mail-transport-agent, cron (>=3.0pl1-68), sysklogd | system-log-daemon | syslog-ng, mailx, logtail, lockfile-progs, ${misc:Depends}
+Depends: adduser, debconf, grep (>= 2.5.1-1), exim4 | mail-transport-agent, cron (>=3.0pl1-68), sysklogd | system-log-daemon | syslog-ng, mailx, logtail2, lockfile-progs, ${misc:Depends}
Recommends: logcheck-database (>= ${source:Version})
Suggests: syslog-summary
Description: mails anomalies in the system logfiles to the administrator
@@ -33,6 +33,21 @@
Architecture: all
Depends: perl (>= 5.8.0)
Replaces: logcheck (<= 1.1.1-9)
+Description: Print log file lines that have not been read (deprecated)
+ This program will read in a standard text file and create an
+ offset marker when it reads the end. The offset marker is read
+ the next time logtail is run and the text file pointer is moved
+ to the offset location. This allows logtail to read in the next
+ lines of data following the marker. This is good for marking log
+ files for automatic log file checkers to monitor system events.
+ .
+ This program is in the process of being replaced by logtail2, which
+ automatically handles a single instace of log rotation.
+
+Package: logtail2
+Architecture: all
+Depends: perl (>= 5.8.0)
+Replaces: logcheck (<= 1.1.1-9)
Description: Print log file lines that have not been read
This program will read in a standard text file and create an
offset marker when it reads the end. The offset marker is read
@@ -41,5 +56,13 @@
lines of data following the marker. This is good for marking log
files for automatic log file checkers to monitor system events.
.
+ If logtail2 finds that the inode of the file was changed, it assumes
+ that the log has been rotated, and tries to find the file it was
+ rotated to using heuristic plugins. If it finds the file, it will
+ print the remainder of the file starting at the offset saved to the
+ offset file. If a file with the correct inode
+ was not found, logtail2 will only print the new file in its entirety
+ before writing a new offset file.
+ .
This program is mainly used by logcheck, because it returns only
parts of the system logfiles that have not already been checked.
Copied: logcheck/trunk/debian/logtail2.docs (from rev 1623, logcheck/branches/zugschlus200707/debian/logtail2.docs)
===================================================================
--- logcheck/trunk/debian/logtail2.docs (rev 0)
+++ logcheck/trunk/debian/logtail2.docs 2007-08-07 12:41:19 UTC (rev 1624)
@@ -0,0 +1 @@
+./docs/README.logtail
Copied: logcheck/trunk/debian/logtail2.files (from rev 1623, logcheck/branches/zugschlus200707/debian/logtail2.files)
===================================================================
--- logcheck/trunk/debian/logtail2.files (rev 0)
+++ logcheck/trunk/debian/logtail2.files 2007-08-07 12:41:19 UTC (rev 1624)
@@ -0,0 +1,2 @@
+usr/sbin/logtail2
+usr/share/logtail/detectrotate/*
Copied: logcheck/trunk/debian/logtail2.preinst (from rev 1623, logcheck/branches/zugschlus200707/debian/logtail2.preinst)
===================================================================
--- logcheck/trunk/debian/logtail2.preinst (rev 0)
+++ logcheck/trunk/debian/logtail2.preinst 2007-08-07 12:41:19 UTC (rev 1624)
@@ -0,0 +1,38 @@
+#! /bin/sh
+# preinst script for logtail
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <new-preinst> `install'
+# * <new-preinst> `install' <old-version>
+# * <new-preinst> `upgrade' <old-version>
+# * <old-preinst> `abort-upgrade' <new-version>
+#
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ install|upgrade)
+ ;;
+
+ abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
+
Copied: logcheck/trunk/debian/logtail2.prerm (from rev 1623, logcheck/branches/zugschlus200707/debian/logtail2.prerm)
===================================================================
--- logcheck/trunk/debian/logtail2.prerm (rev 0)
+++ logcheck/trunk/debian/logtail2.prerm 2007-08-07 12:41:19 UTC (rev 1624)
@@ -0,0 +1,33 @@
+#! /bin/sh
+# prerm script for logtail
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <prerm> `remove'
+# * <old-prerm> `upgrade' <new-version>
+# * <new-prerm> `failed-upgrade' <old-version>
+# * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
+# * <deconfigured's-prerm> `deconfigure' `in-favour'
+# <package-being-installed> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ remove|failed-upgrade|upgrade|deconfigure)
+ ;;
+ *)
+ echo "prerm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
Modified: logcheck/trunk/debian/rules
===================================================================
--- logcheck/trunk/debian/rules 2007-08-04 16:02:42 UTC (rev 1623)
+++ logcheck/trunk/debian/rules 2007-08-07 12:41:19 UTC (rev 1624)
@@ -60,6 +60,7 @@
dh_install debian/header.txt usr/share/logcheck
dh_installcron
dh_installman -p logtail docs/logtail.8
+ dh_installman -p logtail2 docs/logtail2.8
dh_installman -p logcheck docs/logcheck.8
dh_installchangelogs
dh_installdebconf
Modified: logcheck/trunk/docs/README.logtail
===================================================================
--- logcheck/trunk/docs/README.logtail 2007-08-04 16:02:42 UTC (rev 1623)
+++ logcheck/trunk/docs/README.logtail 2007-08-07 12:41:19 UTC (rev 1624)
@@ -23,10 +23,17 @@
common effect of logfile rotation. On the other hand a file
shrinking _without_ moving is a possible symptom of intruders
covering their tracks, and triggers prominent warnings in the output.
+
+Logtail2, a different executeable, also handles log file rotation by
+guessing a file name that might have been the target of log rotation
+and printing that file's contents starting with the stored offset. If
+you have a non-standard rotation scheme, you can drop your own
+heuristic into /usr/share/logtail/detectrotate/ and have it
+automatically picked up by logtail2.
======================================================================
COMMANDLINE ARGUMENTS
---------------------
-See logtail(8).
+See logtail(8) and logtail2(8).
The first, compulsory argument is the name of the input logfile;
unlike tail, logtail cannot use stdin!
Copied: logcheck/trunk/docs/logtail2.8 (from rev 1623, logcheck/branches/zugschlus200707/docs/logtail2.8)
===================================================================
--- logcheck/trunk/docs/logtail2.8 (rev 0)
+++ logcheck/trunk/docs/logtail2.8 2007-08-07 12:41:19 UTC (rev 1624)
@@ -0,0 +1,91 @@
+.TH LOGTAIL 8 "28 Jul 2007" "Debian" "logtail2 manual"
+.SH NAME
+logtail2 \- print log file lines that have not been read
+.SH SYNOPSIS
+.B logtail2
+.RI [-t]
+.BI \-f logfile
+.RI [\-o offsetfile ]
+.SH DESCRIPTION
+.B logtail2
+reads a specified file (usually a log file) and writes
+to the standard output that part of it
+which has not been read by previous runs of
+.BR logtail2 .
+It prints the appropriate number of bytes from the end of
+.IR logfile ,
+assuming that all changes that are made to it are to add new
+characters to it.
+.P
+.I logfile
+must be a plain file. A symlink is not allowed.
+.P
+.B logtail2
+stores the information about how much of it has already been read
+in a separate file called
+.IR offsetfile .
+.I offsetfile
+can be omitted. If omitted, the file named
+.I logfile.offset
+in the same directory which contains
+.I logfile
+is used by default.
+.P
+If
+.I offsetfile
+is not empty, the inode of
+.I logfile
+is checked. If the inode is changed,
+.B logtail2
+uses the heuristics stored in
+.I /usr/share/logtail2/detectrotate/
+to find a file that might be the rotated
+.I logfile
+and prints it starting with the stored offset. It then proceeds to
+simply print the entire new
+.I file
+and generates a new
+.I offsetfile.
+If the inode is not changed but
+.I logfile
+is shorter than it was at the last run of
+.BR logtail2 ,
+it writes a warning message to the standard output.
+.SH OPTIONS
+.TP
+.B \-f
+.I logfile
+to be read after offset
+.TP
+.B \-o
+.I offsetfile
+stores offset of previous run
+.TP
+.B \-t
+test mode - do not change offset in
+.I offsetfile
+.SH RETURN VALUES
+.IP 0
+successful
+.IP 65
+cannot get the size of
+.IR logfile
+.IP 66
+general file or directory access issue
+.IP 73
+cannot write
+.I offsetfile
+.SH AUTHOR
+The original
+.B logtail
+was written in C by Craig H. Rowland <crowland at psionic.com>.
+This version of
+.B logtail
+is a modification of Paul Slootman's re-implementation in perl.
+enhanced by the Debian Logcheck Team <logcheck-devel at lists.alioth.debian.org>.
+.P
+This manual was written by Oohara Yuuma <oohara at libra.interq.or.jp>
+and enhanced by the Debian Logcheck Team
+<logcheck-devel at lists.alioth.debian.org>..
+.SH SEE ALSO
+.BR logcheck (8)
Copied: logcheck/trunk/src/detectrotate (from rev 1623, logcheck/branches/zugschlus200707/src/detectrotate)
Modified: logcheck/trunk/src/logcheck
===================================================================
--- logcheck/trunk/src/logcheck 2007-08-04 16:02:42 UTC (rev 1623)
+++ logcheck/trunk/src/logcheck 2007-08-07 12:41:19 UTC (rev 1624)
@@ -73,7 +73,7 @@
STATEDIR="/var/lib/logcheck"
LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
LOGFILE_FALLBACK="/var/log/syslog"
-LOGTAIL="/usr/sbin/logtail"
+LOGTAIL="/usr/sbin/logtail2"
CAT="/bin/cat"
SYSLOG_SUMMARY="/usr/bin/syslog-summary"
@@ -418,30 +418,7 @@
debug "logoutput called with file: $file"
if [ -f "$file" ]; then
offsetfile="$STATEDIR/offset$(echo $file | tr / .)"
- if [ -s "$offsetfile" -a -r "$offsetfile" ]; then
- if [[ $(wc -c < "$file") -lt $(tail -n 1 "$offsetfile") ]]; then
- # assume the log is rotated by savelog(8)
- # syslog-ng leaves old files here
- if [ -e "$file.0" -a "$file.0" -nt "$file.1.gz" ]; then
- debug "Running logtail on rotated: $file.0"
- $LOGTAIL -f "$file.0" -o "$offsetfile" $LOGTAIL_OPTS > \
- $TMPDIR/logoutput/$(basename "$file") 2>&1 \
- || error "Could not run logtail or save output"
- rm -f "$offsetfile" \
- || error "Could not remove $offsetfile"
- # assume the log is rotated by logrotate(8)
- # should also probably check if file is still fresh
- elif [ -e "$file.1" ]; then
- debug "Running logtail on rotated: $file.1"
- $LOGTAIL -f "$file.1" -o "$offsetfile" $LOGTAIL_OPTS > \
- $TMPDIR/logoutput/$(basename "$file") 2>&1 \
- || error "Could not run logtail or save output"
- rm -f "$offsetfile" \
- || error "Could not remove $offsetfile"
- fi
- fi
- fi
- debug "Running logtail: $file"
+ debug "Running $LOGTAIL on $file"
$LOGTAIL -f "$file" -o "$offsetfile" $LOGTAIL_OPTS \
>> $TMPDIR/logoutput/$(basename "$file") 2>&1 \
|| error "Could not run logtail or save output"
Copied: logcheck/trunk/src/logtail2 (from rev 1623, logcheck/branches/zugschlus200707/src/logtail2)
===================================================================
--- logcheck/trunk/src/logtail2 (rev 0)
+++ logcheck/trunk/src/logtail2 2007-08-07 12:41:19 UTC (rev 1624)
@@ -0,0 +1,202 @@
+#!/usr/bin/perl
+
+# Copyright (C) 2003 Jonathan Middleton <jjm at ixtab.org.uk
+# Copyright (C) 2001 Paul Slootman <paul at debian.org>
+
+# This file is part of Logcheck.
+
+# Logcheck is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# Logcheck is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with Logcheck; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+use strict;
+use warnings;
+my ($size, $logfile, $offsetfile);
+use Getopt::Std;
+use File::Basename;
+my %opts = ();
+
+# process args and switches
+my ($TEST_MODE) = 0;
+getopts("f:o:t", \%opts);
+
+# try to detect plain logtail invocation without switches
+if (!$opts{f} && $#ARGV != 0 && $#ARGV != 1) {
+ print STDERR "No logfile to read. Use -f [LOGFILE].\n";
+ exit 66;
+} elsif ($#ARGV == 0) {
+ $logfile = $ARGV[0];
+} elsif ($#ARGV == 1) {
+ ($logfile, $offsetfile) = ($ARGV[0], $ARGV[1]);
+} else {
+ ($logfile, $offsetfile) = ($opts{f}, $opts{o});
+}
+
+if ($opts{t}) {
+ $TEST_MODE = 1;
+}
+
+
+sub print_from_offset {
+ my ($filename, $offset) = @_;
+ # this subroutine prints the contents of the file named $filename,
+ # starting offset $offset.
+ #print "print_from_offset $filename, $offset\n";
+ unless (open(LOGFILE, $filename)) {
+ print STDERR "File $logfile cannot be read: $!\n";
+ exit 66;
+ }
+
+ seek(LOGFILE, $offset, 0);
+
+ while (<LOGFILE>) {
+ print $_;
+ }
+
+ $size = tell LOGFILE;
+ close LOGFILE;
+ return $size;
+}
+
+sub mtime {
+ my ($filename) = @_;
+ my $mtime = 0;
+ unless (-e $filename && ($mtime = ((stat($filename))[8])) ) {
+ print STDERR "Cannot get $filename mtime: $!\n";
+ exit 65;
+ }
+ return $mtime;
+}
+
+sub inode {
+ my ($filename) = @_;
+ my $inode = 0;
+ unless (-e $filename && ($inode = ((stat($filename))[1])) ) {
+ print STDERR "Cannot get $filename inode: $!\n";
+ exit 65;
+ }
+ return $inode;
+}
+
+sub get_directory_contents {
+ my ($filename) = @_;
+ my $dirname = dirname($filename);
+ unless (opendir(DIR, $dirname)) {
+ print STDERR "Cannot open directory $dirname: $!\n";
+ exit 65;
+ }
+ my @direntries = readdir(DIR);
+ closedir DIR;
+ return @direntries;
+}
+
+sub determine_rotated_logfile {
+ my ($filename,$inode) = @_;
+ my $rotated_filename;
+ # this subroutine tries to guess to where a given log file was
+ # rotated. Its magic is mainly taken from logcheck's logoutput()
+ # function with dateext magic added.
+
+ #print "determine_rotated_logfile $filename $inode\n";
+ for my $codefile (glob("/usr/share/logtail/detectrotate/*.dtr")) {
+ my $func = do $codefile;
+ if (!$func) {
+ print STDERR "cannot compile $codefile: $!";
+ exit 68;
+ }
+ $rotated_filename = $func->($filename);
+ last if $rotated_filename;
+ }
+ #if ($rotated_filename) {
+ # print "rotated_filename $rotated_filename (". inode($rotated_filename). ")\n";
+ #} else {
+ # print "no rotated file found\n";
+ #}
+ if ($rotated_filename && inode($rotated_filename) == $inode) {
+ return $rotated_filename;
+ } else {
+ return "";
+ }
+}
+
+if (! -f $logfile) {
+ print STDERR "File $logfile cannot be read: $!\n";
+ exit 66;
+}
+unless ($offsetfile) {
+ # offsetfile not given, use .offset/$logfile in the same directory
+ $offsetfile = $logfile . '.offset';
+}
+
+my ($inode, $ino, $offset) = (0, 0, 0);
+
+if ($offsetfile) {
+ # If offset file exists, open and parse it.
+ if (open(OFFSET, $offsetfile)) {
+ $_ = <OFFSET>;
+ if (defined $_) {
+ chomp $_;
+ $inode = $_;
+ $_ = <OFFSET>;
+ if (defined $_) {
+ chomp $_;
+ $offset = $_;
+ }
+ }
+ }
+
+ # determine log file inode and size
+ unless (($ino,$size) = (stat($logfile))[1,7]) {
+ print STDERR "Cannot get $logfile file size: $!\n";
+ exit 65;
+ }
+
+ if ($inode == $ino) {
+ # inode is still the same
+ exit 0 if $offset == $size; # short cut
+ if ($offset > $size) {
+ $offset = 0;
+ print "***************\n";
+ print "*** WARNING ***: Log file $logfile is smaller than last time checked!\n";
+ print "*************** This could indicate tampering.\n";
+ }
+ }
+
+ if ($inode != $ino) {
+ # this is the interesting case: inode has changed.
+ # So the file might have been rotated. We need to print the
+ # entire file.
+ # Additionally, we might want to see whether we can find the
+ # previous instance of the file and to process it from here.
+ #print "inode $inode, ino $ino\n";
+ my $rotatedfile = determine_rotated_logfile($logfile,$inode);
+ if ( $rotatedfile ) {
+ print_from_offset($rotatedfile,$offset);
+ }
+ # print the actual file from beginning
+ $offset = 0;
+ }
+}
+
+$size = print_from_offset($logfile,$offset);
+
+# update offset, unless test mode
+unless ($TEST_MODE) {
+ unless (open(OFFSET, ">", $offsetfile)) {
+ print STDERR "File $offsetfile cannot be created. Check your permissions: $!\n";
+ exit 73;
+ }
+ print OFFSET "$ino\n$size\n";
+ close OFFSET;
+}
+exit 0;
More information about the Logcheck-commits
mailing list