Problem
=======
Stock logcheck 1.2.61 under Mythbuntu (Gutsy) fails with a misleading error message when /var/log/auth.log.1.gz does not exist.
Failure email (misleading):
----- cut here -----
Subject: Logcheck: <hostname> 2007-10-05 15:02 exiting due to errors
Body:
Warning: If you are seeing this message, your log files may not have been checked!
Details
=======
Could not run logtail or save output
Check temporary directory: /tmp/logcheck.es2361
Also verify that the logcheck user can read all files referenced in
/etc/logcheck/logcheck.logfiles!
Note the temp dir has already been removed, so telling the user to check it is useless and confusing.
Reason
======
The Perl /usr/sbin/logtail2 script's sub determine_rotated_logfile uses '/usr/share/logtail/detectrotate/*.dtr' to figure out where previously rotated files might be. That code seems to come up with '/var/log/auth.log.1.gz' as a file to check. But if that file does not exist, logtail2 dies with "Cannot get /var/log/auth.log.1.gz mtime: No such file or directory" and that kills logcheck, producing the error above.
The actual logtail2 error is buried in $TMPDIR/logoutput/$(basename "$file"), which is a) not shown or mentioned in the error message email and b) automatically deleted unless you're manually running logcheck -t.
Possible Solution
=================
Instead of:
if ($rotated_filename && inode($rotated_filename) == $inode) {
use something like this (NOT TESTED):
if ($rotated_filename && -e $rotated_filename \
&& inode($rotated_filename) == $inode) {
Steps to Reproduce
==================
Backup your existing /var/log/auth* files!
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null
Cannot get /var/log/auth.log.1.gz mtime: No such file or directory
$ sudo touch /var/log/auth.log.1.gz [sudo] password for logcheck:
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset.var.log.auth.log > /dev/null
Cannot get /var/log/auth.log.1.gz mtime: No such file or directory
Binary package hint: logcheck
Problem auth.log. 1.gz does not exist.
=======
Stock logcheck 1.2.61 under Mythbuntu (Gutsy) fails with a misleading error message when /var/log/
Failure email (misleading):
----- cut here -----
Subject: Logcheck: <hostname> 2007-10-05 15:02 exiting due to errors
Body:
Warning: If you are seeing this message, your log files may not have been checked!
Details
=======
Could not run logtail or save output
Check temporary directory: /tmp/logcheck. es2361
Also verify that the logcheck user can read all files referenced in logcheck. logfiles!
/etc/logcheck/
declare -x HOME="/ var/lib/ logcheck" usr/local/ sbin:/usr/ local/bin: /sbin:/ bin:/usr/ sbin:/usr/ bin" lib/logcheck"
declare -x LANG="en_US.UTF-8"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/
declare -x PWD="/var/
declare -x SHELL="/bin/sh"
declare -x SHLVL="1"
----- cut here -----
Note the temp dir has already been removed, so telling the user to check it is useless and confusing.
Reason rotated_ logfile uses '/usr/share/ logtail/ detectrotate/ *.dtr' to figure out where previously rotated files might be. That code seems to come up with '/var/log/ auth.log. 1.gz' as a file to check. But if that file does not exist, logtail2 dies with "Cannot get /var/log/ auth.log. 1.gz mtime: No such file or directory" and that kills logcheck, producing the error above.
======
The Perl /usr/sbin/logtail2 script's sub determine_
The actual logtail2 error is buried in $TMPDIR/ logoutput/ $(basename "$file"), which is a) not shown or mentioned in the error message email and b) automatically deleted unless you're manually running logcheck -t.
Possible Solution rotated_ filename) == $inode) {
=================
Instead of:
if ($rotated_filename && inode($
use something like this (NOT TESTED): rotated_ filename) == $inode) {
if ($rotated_filename && -e $rotated_filename \
&& inode($
Steps to Reproduce
==================
Backup your existing /var/log/auth* files!
$ date
Fri Oct 5 18:31:30 EDT 2007
$ cat /etc/*release* RELEASE= 7.10 CODENAME= gutsy DESCRIPTION= "Ubuntu gutsy (development branch)"
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
$ whoami
logcheck
$ logcheck -v
logcheck 1.2.61
$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120382 2007-10-05 18:17 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset. var.log. auth.log > /dev/null auth.log. 1.gz mtime: No such file or directory
Cannot get /var/log/
$ sudo touch /var/log/ auth.log. 1.gz [sudo] password for logcheck:
$ ls -l /var/log/auth* auth.log. 1.gz
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
-rw-r--r-- 1 root root 0 2007-10-05 18:26 /var/log/
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset. var.log. auth.log > /dev/null
$ sudo rm /var/log/ auth.log. 1.gz
$ ls -l /var/log/auth*
-rw-r----- 1 syslog adm 120850 2007-10-05 18:25 /var/log/auth.log
-rw-r----- 1 syslog adm 51802 2007-09-30 06:47 /var/log/auth.log.0
$ /usr/sbin/logtail2 -t -f /var/log/auth.log -o /tmp/offset. var.log. auth.log > /dev/null auth.log. 1.gz mtime: No such file or directory
Cannot get /var/log/