karmic regression: logcheck prints CRON CMD lines

Bug #463471 reported by Matthias Andree
66
This bug affects 11 people
Affects Status Importance Assigned to Milestone
logcheck (Debian)
Fix Released
Unknown
logcheck (Ubuntu)
Fix Released
Medium
Unassigned
Karmic
Fix Released
Medium
Loïc Minier
rsyslog (Ubuntu)
Confirmed
Wishlist
Unassigned
Karmic
Won't Fix
Undecided
Unassigned

Bug Description

logcheck reports all logs from CRON since the switch to rsyslog; the regexp requires /usr/sbin/cron or /USR/SBIN/CRON, but rsyslog logs cron or CRON

Impact: installs with logcheck get emails very frequently (for each matching CRON log)

Bug was addressed by updating the RE to make the /usr/sbin part optional.

TEST CASE:
Install logcheck, wait for some CRON entries in your syslog, wait for logcheck's cron to run, see whether you get an email.

Regression potential: People with local changes need to merge conffiles.

THIS SRU REQUEST IS BEING TRACKED IN MAIN BUG #463471.

Revision history for this message
Trebacz (david-trebacz) wrote :

I'm also having the same issue after an upgrade to 9.10 and I use only the server profile. I'd suggest that the fix is applied to the /etc/logcheck/ignore.d.server/cron

Nov 1 06:17:01 host1 CRON[27038]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Nov 1 06:25:01 host1 CRON[27643]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Nov 1 06:47:01 host1 CRON[29299]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ))
Nov 1 06:52:01 host1 CRON[29678]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ))
Nov 1 07:02:01 host1 CRON[30439]: (logcheck) CMD ( if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)

Revision history for this message
Trebacz (david-trebacz) wrote :

The entries used to look like:

Oct 26 04:02:01 host1 /USR/SBIN/CRON[7693]: (logcheck) CMD ( if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)
Oct 26 04:10:01 host1 /USR/SBIN/CRON[9302]: (root) CMD ([ -x /usr/sbin/update-motd ] && /usr/sbin/update-motd 2>/dev/null)
Oct 26 04:17:01 host1 /USR/SBIN/CRON[9999]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

Daniel Hahler (blueyed)
tags: added: karmic regression-release
Changed in logcheck (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Trebacz (david-trebacz) wrote :

The change in the 1st line in the /etc/logcheck/ignore.d.paranoid/cron file took care of my problem. I changed it from:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$

to

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$

Worked like a charm. Never realized that my version of logcheck was utilizing the paranoid ignores. There are a couple other entries in the file that have the path in them, but my routine messages don't seem to hit them -or they are still being logged with the path.

Revision history for this message
Matijs van Zuijlen (matijs) wrote :

Trebacz, as I understand it if you use the server profile, ignores from both server and paranoid are used. So server ignores anything that paranoid ignores, and workstation ignores anything that server or paranoid ignore.

Revision history for this message
Richard Ayotte (rich-ayotte) wrote :

I get messages like the following all day long.

Nov 30 05:09:01 polarbear CRON[13941]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Nov 30 05:17:01 polarbear CRON[13973]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Nov 30 05:39:01 polarbear CRON[14056]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Nov 30 06:02:01 polarbear CRON[14127]: (logcheck) CMD ( if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)

Adding ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$ to /etc/logcheck/ignore.d.paranoid/cron fixed the problem.

Revision history for this message
Klaus Purer (klausi) wrote :

Thanks Trebacz, your solution works for me.

Revision history for this message
Loïc Minier (lool) wrote :

I think that's due to the switch to rsyslog.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logcheck - 1.3.5ubuntu1

---------------
logcheck (1.3.5ubuntu1) lucid; urgency=low

  * rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
    pathnames to cron; apparently a difference between syslog and rsyslog;
    LP: #463471.
  * rulefiles/linux/ignore.d.paranoid/sysklogd: more specific matching of
    upstream version and optional Debian/Ubuntu revision (DEBRELEASE), also
    allow all allowed chars in revision fixes matching of Ubuntu versions;
    LP: #116773.
 -- Loic Minier <email address hidden> Thu, 21 Jan 2010 23:09:45 +0100

Changed in logcheck (Ubuntu):
status: Triaged → Fix Released
Loïc Minier (lool)
Changed in rsyslog (Ubuntu):
status: New → Confirmed
Changed in logcheck (Debian):
status: Unknown → New
Changed in logcheck (Debian):
status: New → Fix Released
Revision history for this message
David Kågedal (dkagedal) wrote :

Why isn't this fixed in karmic?

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :

Because it's not a security related bug!

Loïc Minier (lool)
Changed in logcheck (Ubuntu Karmic):
status: New → In Progress
assignee: nobody → Loïc Minier (lool)
importance: Undecided → Medium
Loïc Minier (lool)
Changed in rsyslog (Ubuntu Karmic):
status: New → Won't Fix
description: updated
Revision history for this message
Loïc Minier (lool) wrote :
description: updated
Revision history for this message
Loïc Minier (lool) wrote :

@Ralf: we actually have a process to fix high impact bugs in stable releases which are not security bugs, see:
https://wiki.ubuntu.com/StableReleaseUpdates

of course we can't fix all bugs in stable releases, and we prefer focusing on bugs of the next release to have as little as possible there; the process for stable updates is a bit time consuming too (necessarily so).

Revision history for this message
John Dong (jdong) wrote :

The proposed debdiff seems to fix more than just the bug described in the test case, is this correct?

The contents look good to me, but please augment the bug description with additional testcases to describe how to test all the incorporated fixes, if applicable.

Also, version suffix ubuntu0.1 is preferred.

ACK from ubuntu-sru.

Revision history for this message
Loïc Minier (lool) wrote :

@John: the test cases are in the invidual bugs being closed, as suggested by pitti.

Revision history for this message
John Dong (jdong) wrote : Re: [Bug 463471] Re: karmic regression: logcheck prints CRON CMD lines

On 2/27/10 5:29 AM, Loïc Minier wrote:
> @John: the test cases are in the invidual bugs being closed, as
> suggested by pitti.
>

Thank you for the clarification. I'm all set :)

Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted logcheck into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in logcheck (Ubuntu Karmic):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

This doesn't look like a bug in rsyslog to me, does it?

Changed in rsyslog (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
Loïc Minier (lool) wrote :

Martin, I kept the rsyslog task in case we want to have 100% identical logs when switching over to rsyslog.

Revision history for this message
Martin Pitt (pitti) wrote :

Ah, thanks; reopening then.

Changed in rsyslog (Ubuntu):
status: Invalid → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Loïc Minier (lool) wrote :

Worked fine in my testing

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logcheck - 1.2.69ubuntu0.1

---------------
logcheck (1.2.69ubuntu0.1) karmic-proposed; urgency=low

  * rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
    pathnames to cron; apparently a difference between syslog and rsyslog;
    LP: #463471.
  * rulefiles/linux/ignore.d.server/dhclient: match optional ip address;
    LP: #307847.
  * rulefiles/linux/ignore.d.server/ssh: add "disconnected by user" re in the
    "Received disconnect from" series; this now occurs frequently with recent
    OpenSSH clients; LP: #527669.
 -- Loic Minier <email address hidden> Thu, 25 Feb 2010 10:58:02 +0100

Changed in logcheck (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.