[Logcheck-devel] logcheck and logrotate

[Thomas Jarosch]

Hello logcheck team,

I'm currently examining the way logcheck handles rotated logfiles after we had 
holes in our reports. Version 1.2.45 collects the logfile data in 
logoutput(). Currently it behaves like this (using "messages" as example):

- Check if the logfile size is smaller than specified in the offset file
  If yes: Check for -one- rotated file "messages.1" and append it
- Append normal logfile "messages"

This has two problems:

- If "messages" is larger than "messages.1",
  "messages.1" will not be considered for inclusion
- "messages.2" won't be handled even it is the
  start point since the last logcheck run.


There are two possible solutions:
- Have logrotate and logcheck copy/append the current "messages"
  file to some kind of "messages.logcheck" shadow file,
  which gets deleted as soon as logcheck runs.

  Downside: Waste of space and full hard discs if logcheck
  doesn't properly run for some reason.

- Implement a "mark" in the logfile which gets set after logcheck is run.
  Replace "logtail" with a shell script that searches for the mark.

  I've implemented a standalone proof-of-concept script 
  to demonstrate how this could be solved.

  Drawback: Logcheck needs to output a changing mark
  after each successful run. This is easy to do with "logger".

Let me know what you think and please CC: comments, I'm not on the list.

Best regards,
Thomas Jarosch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logcheck_rotate_fix.sh
Type: application/x-shellscript
Size: 1141 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20070313/0b8e89e2/attachment.bin