Ubuntu
logcheck package

Bug #149641
Comment #0

Comment 0 for bug 149641

Revision history for this message

JP Vossen (jp-jpsdomain) wrote on 2007-10-05:

Binary package hint: logcheck

Problem
=======
Stock logcheck 1.2.61 under Mythbuntu (Gutsy) fails with a misleading error message when /var/log/auth.log.1.gz does not exist.

Failure email (misleading):
----- cut here -----
Subject: Logcheck: <hostname> 2007-10-05 15:02 exiting due to errors
Body:
Warning: If you are seeing this message, your log files may not have been checked!

Details
=======
Could not run logtail or save output

Check temporary directory: /tmp/logcheck.es2361

Also verify that the logcheck user can read all files referenced in
/etc/logcheck/logcheck.logfiles!

declare -x HOME="/var/lib/logcheck"
declare -x LANG="en_US.UTF-8"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
declare -x PWD="/var/lib/logcheck"
declare -x SHELL="/bin/sh"
declare -x SHLVL="1"
----- cut here -----

Note the temp dir has already been removed, so telling the user to check it is useless and confusing.

Reason
======
The Perl /usr/sbin/logtail2 script's sub determine_rotated_logfile uses '/usr/share/logtail/detectrotate/*.dtr' to figure out where previously rotated files might be. That code seems to come up with '/var/log/auth.log.1.gz' as a file to check. But if that file does not exist, logtail2 dies with "Cannot get /var/log/auth.log.1.gz mtime: No such file or directory" and that kills logcheck, producing the error above.

The actual logtail2 error is buried in $TMPDIR/logoutput/$(basename "$file"), which is a) not shown or mentioned in the error message email and b) automatically deleted unless you're manually running logcheck -t.

Possible Solution
=================
Instead of:
if ($rotated_filename && inode($rotated_filename) == $inode) {

use something like this (NOT TESTED):
if ($rotated_filename && -e $rotated_filename \
&& inode($rotated_filename) == $inode) {

Steps to Reproduce
==================
Backup your existing /var/log/auth* files!

$ date
Fri Oct 5 18:31:30 EDT 2007

$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=7.10
DISTRIB_CODENAME=gutsy
DISTRIB_DESCRIPTION="Ubuntu gutsy (development branch)"

$ whoami
logcheck

$ logcheck -v
logcheck 1.2.61

$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120382 2007-10-05 18:17 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0

$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null
Cannot get /var/log/auth.log.1.gz mtime: No such file or directory

$ sudo touch /var/log/auth.log.1.gz [sudo] password for logcheck:

$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
-rw-r--r-- 1 root root 0 2007-10-05 18:26 /var/log/auth.log.1.gz

$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null

$ sudo rm /var/log/auth.log.1.gz

$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0

$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null
Cannot get /var/log/auth.log.1.gz mtime: No such file or directory

Binary package hint: logcheck

Problem
=======
Stock logcheck 1.2.61 under Mythbuntu (Gutsy) fails with a misleading error message when /var/log/auth.log.1.gz does not exist.

Details
=======
Could not run logtail or save output

Check temporary directory: /tmp/logcheck.es2361

Also verify that the logcheck user can read all files referenced in
/etc/logcheck/logcheck.logfiles!

Note the temp dir has already been removed, so telling the user to check it is useless and confusing.

Reason
======
The Perl /usr/sbin/logtail2 script's sub determine_rotated_logfile uses '/usr/share/logtail/detectrotate/*.dtr' to figure out where previously rotated files might be.  That code seems to come up with '/var/log/auth.log.1.gz' as a file to check.  But if that file does not exist, logtail2 dies with "Cannot get /var/log/auth.log.1.gz mtime: No such file or directory" and that kills logcheck, producing the error above.

Possible Solution
=================
Instead of:
	if ($rotated_filename && inode($rotated_filename) == $inode) {

use something like this (NOT TESTED):
	if ($rotated_filename && -e $rotated_filename \
	  && inode($rotated_filename) == $inode) {

Steps to Reproduce
==================
Backup your existing /var/log/auth* files!

$ date
Fri Oct  5 18:31:30 EDT 2007

$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=7.10
DISTRIB_CODENAME=gutsy
DISTRIB_DESCRIPTION="Ubuntu gutsy (development branch)"

$ whoami
logcheck

$ logcheck -v
logcheck 1.2.61

$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120382 2007-10-05 18:17 /var/log/auth.log
-rw-r----- 1 syslog adm  51802 2007-09-30 06:47 /var/log/auth.log.0

$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null 
Cannot get /var/log/auth.log.1.gz mtime: No such file or directory

$ sudo touch /var/log/auth.log.1.gz                                            [sudo] password for logcheck:

$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm  120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm   51802 2007-09-30 06:47 /var/log/auth.log.0
-rw-r--r-- 1 root   root      0 2007-10-05 18:26 /var/log/auth.log.1.gz

$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null

$ sudo rm /var/log/auth.log.1.gz

$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm  51802 2007-09-30 06:47 /var/log/auth.log.0

$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null 
Cannot get /var/log/auth.log.1.gz mtime: No such file or directory

Ubuntulogcheck package

Comment 0 for bug 149641

Ubuntu
logcheck package