logcheck fails when auth.log.1.gz missing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
logcheck (Debian) |
Fix Released
|
Unknown
|
|||
logcheck (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Gutsy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: logcheck
Problem
=======
Stock logcheck 1.2.61 under Mythbuntu (Gutsy) fails with a misleading error message when /var/log/
Failure email (misleading):
----- cut here -----
Subject: Logcheck: <hostname> 2007-10-05 15:02 exiting due to errors
Body:
Warning: If you are seeing this message, your log files may not have been checked!
Details
=======
Could not run logtail or save output
Check temporary directory: /tmp/logcheck.
Also verify that the logcheck user can read all files referenced in
/etc/logcheck/
declare -x HOME="/
declare -x LANG="en_US.UTF-8"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/
declare -x PWD="/var/
declare -x SHELL="/bin/sh"
declare -x SHLVL="1"
----- cut here -----
Note the temp dir has already been removed, so telling the user to check it is useless and confusing.
Reason
======
The Perl /usr/sbin/logtail2 script's sub determine_
The actual logtail2 error is buried in $TMPDIR/
Possible Solution
=================
Instead of:
if ($rotated_filename && inode($
use something like this (NOT TESTED):
if ($rotated_filename && -e $rotated_filename \
&& inode($
Steps to Reproduce
==================
Backup your existing /var/log/auth* files!
$ date
Fri Oct 5 18:31:30 EDT 2007
$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
$ whoami
logcheck
$ logcheck -v
logcheck 1.2.61
$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120382 2007-10-05 18:17 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.
Cannot get /var/log/
$ sudo touch /var/log/
$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
-rw-r--r-- 1 root root 0 2007-10-05 18:26 /var/log/
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.
$ sudo rm /var/log/
$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.
Cannot get /var/log/
TEST CASE:
1. sudo apt-get install logtail=1.2.61
2. sudo mv /var/log/
3. /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.
Cannot get /var/log/
4. sudo apt-get install logtail=
5. /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.
6. sudo mv /var/log/
In 3. an error is thrown, which should not appear in 5. anymore.
Related branches
Changed in logcheck: | |
assignee: | nobody → blueyed |
status: | New → In Progress |
Changed in logcheck: | |
status: | Unknown → Fix Released |
Changed in logcheck: | |
status: | Fix Committed → Fix Released |
assignee: | nobody → blueyed |
status: | New → In Progress |
Changed in logcheck: | |
status: | In Progress → Fix Committed |
assignee: | blueyed → nobody |
status: | Fix Committed → Confirmed |
description: | updated |
See this thread: http:// lists.alioth. debian. org/pipermail/ logcheck- devel/2004- October/ 000924. html
"""
> # chown -R logcheck:logcheck /var/lib/logcheck
This resolved the issue on my box...
let me know if there is anything I can do to help find the bug...
"""