[Logcheck-users] logcheck errors after logrotate runs
Dathi Oxencroft
dathi@appello.net
Tue, 29 Mar 2005 19:46:29 +1000
--nextPart1772797.XLjOydUi5o
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi Todd,
Yes, most strange for this to arise on the upgrade. I "usually" wait for=20
stable, but oh well, impatient this year :o Doubt it would have made a=20
difference.
Logcheck is standard except for a couple of extra files monitored=20
(/var/log/daemon.log and /var/log/snort/portscan.log) and some trims to the=
=20
rules. Logrotate is also pretty standard with a few trims to the number of=
=20
logs kept on some files.
Data as requested:
avalon:/home/dathi# ls -l /var/lib/logcheck
total 16
=2Drw------- 1 logcheck logcheck 14 Mar 29 09:02 offset.var.log.auth.log
=2Drw------- 1 logcheck logcheck 13 Mar 29 09:02 offset.var.log.daemon.log
=2Drw------- 1 logcheck logcheck 13 Mar 29 01:02=20
offset.var.log.snort.portscan.log
=2Drw------- 1 logcheck logcheck 13 Mar 29 09:02 offset.var.log.syslog
avalon:/home/dathi# ls -l /var/log/syslog
=2Drw-r----- 1 root adm 41713 Mar 29 09:03 /var/log/syslog
avalon:/home/dathi# getent passwd logcheck
logcheck:x:107:107::/var/lib/logcheck:/bin/false
avalon:/home/dathi# groups logcheck
logcheck : logcheck adm
I deleted the offsets again so logcheck is working currently. Output of a=20
manually initiated logcheck -d did yield an error at the very end.
D: [1112087459] Cleanup: Removing - /tmp/logcheck.Z3H6fn
rm: cannot get current directory: Permission denied
=46ull debug is at http://www.appello.net/mydebug/
I will get you another debug of logcheck when it's not working at my earlie=
st=20
opportunity.
Kind Regards
Dathi
On Tue, 29 Mar 2005 05:32 pm, Todd Troxell wrote:
> Hi Dathi,
>
> On Tue, Mar 29, 2005 at 07:30:57AM +1000, Dathi Oxencroft wrote:
> > Hello :)
> >
> > After upgrading recently from Woody to Sarge (which went fairly well) I
> > now have trouble with logcheck. I have been unable to track down a
> > solution.
> >
> > Logcheck runs perfectly through the week until Sunday when logrotate do=
es
> > it's thing. I immediately start getting warning emails from logcheck th=
at
> > logfiles are not checked.
>
> Could you let me know the results of these commands:
> ls -l /var/lib/logcheck
> ls -l /var/log/syslog
> getent passwd logcheck
> groups logcheck
>
> Also, debugging output may help (logcheck -d)
>
> This is sounding like a permissions issue, but I'm curious as to how it h=
as
> arrisen. Do you have any special configuration for logcheck/logrotate?
>
> Cheers,
=2D-=20
o---------------- Dathi E Oxencroft ----- Australia ----------------:)
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=A0 MCSA, MCP, CompTIA A+ Network+
=A0If one learns from others but does not think, one will be bewildered
=A0If one thinks but does not learn from others, one will be in peril
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-Confucius
o--------- PGP key - http://www.appello.net/0x812A4FBB.txt ---------.)
--nextPart1772797.XLjOydUi5o
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBCSSP8qoduTYEqT7sRArX1AJ9Db2ot/de252XwweHRcTYVsB+sVwCeInss
z6jdR66PvVjU30wfnfbegyc=
=VqbD
-----END PGP SIGNATURE-----
--nextPart1772797.XLjOydUi5o--