Bug#296096: [Logcheck-devel] Bug#296096: logcheck shows the same month old logs again and again

Sat Mar 5 14:50:40 UTC 2005

clone 296096
reassign -1 syslog-ng
severity -1 minor
retitle -1 syslog-ng logrotate conf leaves old syslog file
thanks

On Sat, 26 Feb 2005, CAiRO wrote:

> maximilian attems wrote on Sat, 26.02.2005:
> > tags 296096 moreinfo
> > thanks
> > 
> > On Sun, 20 Feb 2005, CAiRO wrote:
> > 
> > > Package: logcheck
> > > Version: 1.2.34
> > > Severity: normal
> > > 
> > > With the normal logcheck emails I constantly get the same reports
> > > about month old events that are long ago (and have already been
> > > reported several times). It seems it can't remember what it has
> > > reported already and what not.
> > > 
> > 
> > sounds like your file don't get rotated. (laptop or whatever)
> 
> Ok, I've done some further investigation. The problem seems to be caused
> by installing syslog-ng which changes the logrotate configuration of
> /var/log/syslog to _not_ delay compress anymore. This way, there's an
> old /var/log/syslog.0 file left which doesn't get cycled anymore.
> 
> > logcheck remails a file if the the inode of the file changes,
> > then it can no longer assume to have the same file to check
> > with previsou offset.
> 
> Though, the modification time of /var/log/syslog.0 is Dec 13th and it
> contains all the lines logcheck reports again and again in the daily
> 'System Events' emails.
> 
> ls -lc syslog*
> -rw-r-----  1 root adm  95K Feb 26 14:16 syslog
> -rw-r-----  1 root adm 347K Dec 13 06:27 syslog.0
> -rw-r-----  1 root adm  21K Feb 26 06:29 syslog.1.gz
> -rw-r-----  1 root adm  25K Feb 26 06:29 syslog.2.gz
> -rw-r-----  1 root adm  44K Feb 26 06:29 syslog.3.gz
> -rw-r-----  1 root adm  23K Feb 26 06:29 syslog.4.gz
> -rw-r-----  1 root adm  32K Feb 26 06:29 syslog.5.gz
> -rw-r-----  1 root adm  31K Feb 26 06:29 syslog.6.gz
> -rw-r-----  1 root adm  28K Feb 26 06:29 syslog.7.gz
> 
> Since the syslog.0 hasn't changed and since logcheck reports lines from
> it (not all lines, just the first half of the file) again and again I
> still think there's some kind of problem.
> 
> 
> > how often does that happen?
> 
> It happens daily with the 'System Events' emails.
> 
> > do you have a seperate dir of logcheck messages?
> > could you send a typical example.
> > what filesystem are you using? (nfs, afs,..)?
> 
> What do you mean by separate dir of logcheck messages?
> 
> Example excerpt from one of the logcheck emails:
> 
> From: logcheck at domains-und-mehr.de
> To: root at domains-und-mehr.de
> Subject: domains-und-mehr 2005-02-23 07:02 System Events
> 
>  This email is sent by logcheck. If you wish to no-longer receive it,
>  you can either deinstall the logcheck package or modify its
>  configuration file (/etc/logcheck/logcheck.conf).
> 
>  System Events
>  =-=-=-=-=-=-=
>  Dec 12 13:35:01 domains-und-mehr courierpop3login: LOGIN FAILED,
> ip=[::ffff:80.131.150.179] 
>  Dec 12 13:35:01 domains-und-mehr courierpop3login: LOGOUT,
> ip=[::ffff:80.131.150.179]
>  Dec 12 16:50:09 domains-und-mehr proftpd[16952]:
> domains-und-mehr.de(ACB248D9.ipt.aol.com[172.178.72.217]) - no such user
> 'anonymous'
>  Dec 12 17:08:05 domains-und-mehr proftpd[17634]:
> domains-und-mehr.de
> 
> 
> The file system on the server is ext3 with stock kernel 2.4.27 and
> syslog-ng and logcheck from testing.
> 
> Thanks for your help!
> 
> 
> regards, 
> 
> 	CAiRO

ok i guess logcheck should detect that strange situation,
there for also keeping the bug for logcheck.

i see a similar situtation on my laptop,
but strangely didn't get those duplicate logcheck mails.

# ls -l /var/log/syslog*
-rw-r-----  1 root        adm      8597785 2005-03-05 15:39 syslog
-rw-r-----  1 root        adm        94909 2004-05-13 06:39 syslog.0
-rw-r-----  1 root        adm       201773 2004-11-07 06:48 syslog.1.gz

cloning the bug to syslog-ng
as it would it be cooler if syslog-ng could get rid of
such old logs when getting installed.
(no idea if a logrotate conf could do that).

--
maks

ps please keep cc of bug report,
   that private message may have got lost..