[Logcheck-devel] logtail ignoring information in rotated logs

Joel Williams joel+logcheck at tristesse.org
Wed Nov 10 16:28:15 UTC 2004 

Hi gang,

While writing a script that uses logtail, I noticed that logtail assumes
nothing interesting happened between its last invocation and the
rotation, which means that exciting bits of data could be lost.

This seems a bit dodgy (correct me if I'm wrong about how it works!) so
I made a dodgy patch to logtail that checks for the existence of
$logfile.0, which on Debian seems to always be created for the
interesting stuff in /var/log.  If it exists and its inode matches that
in the state file, dump out any changes and then carry on with the new
file. This approach seems a little messy, but it works for me.

From the discussion in bug #271410, I understand that logcheck does much
the same thing in logoutput(), so this is not really a fault with the
whole package, but it seems more logical to me to perform the check in
logtail itself, especially as other people don't seem to have considered
the implications. The fiaif package, for example, includes a script
(fiaif-scan) that invokes logtail to examine syslog, but does not check
rotated logs.

Joel


--- /usr/sbin/logtail   2004-09-23 06:06:24.000000000 +0930
+++ logtailng.pl        2004-11-11 02:10:55.000000000 +1030
@@ -21,7 +21,7 @@

 use strict;
 use warnings;
-my ($size);
+my ($size, $rotsize);
 use Getopt::Std;
 my %opts = ();

@@ -52,7 +52,7 @@
     exit 66;
 }

-my ($inode, $ino, $offset) = (0, 0, 0);
+my ($inode, $ino, $offset, $rotatedino) = (0, 0, 0, 0);

 unless (not $offsetfile) {
     if (open(OFFSET, $offsetfile)) {
@@ -82,6 +82,22 @@
             print "*************** This could indicate tampering.\n";
         }
     }
+
+    # Check for the existence of a rotated log
+
+    if ((undef,$rotatedino,undef,undef,undef,undef,undef,$rotsize) = stat "$logfile.0") {
+        if ($inode == $rotatedino && $offset < $rotsize) {
+            unless (open(LOGFILEROT, "$logfile.0")) {
+               print "File $logfile.0 cannot be read.\n";
+               exit 66;
+            }
+            seek(LOGFILEROT, $offset, 0);
+            while (<LOGFILEROT>) {
+                print $_;
+            }
+            close LOGFILEROT;
+        }
+    }
     if ($inode != $ino || $offset > $size) {
         $offset = 0;
     }

More information about the Logcheck-devel mailing list