Apologies, but I have to correct/improve myself on the previous comment.
I have a feeling I was running an older version of logcheck.
If I run logcheck from cron with full path (certainly the ubuntu version) like this:
sudo -u logcheck /usr/sbin/logcheck -op
(given that I add /usr/bin/logcheck to /etc/sudoers with NOPASSWD)
or alernatively:
Add a setuid logcheck to /usr/sbin/logcheck:
sudo chown logcheck /usr/sbin/logcheck chmod u+s /usr/sbin/logcheck
Then, the offset files get created/updated under: /var/lib/logcheck/offset.var.log.<filename>
and the 'touch/chown' fix (step 2 above) is not necessary.
It is all hairy, but overall, the setuid checklog, setgid adm looks like the cleanest solution.
What is required is for all of the 3 conditions to be true:
- /usr/sbin/logcheck can read all its configs under /etc/logcheck/*/*
- /usr/sbin/logtail can write offset files under /var/lib/logcheck/*
- /usr/sbin/logtail can read files under /var/log (some of which are user:group root:adm and not world readable)
Apologies, but I have to correct/improve myself on the previous comment.
I have a feeling I was running an older version of logcheck.
If I run logcheck from cron with full path (certainly the ubuntu version) like this:
sudo -u logcheck /usr/sbin/logcheck -op
(given that I add /usr/bin/logcheck to /etc/sudoers with NOPASSWD)
or alernatively:
chmod u+s /usr/sbin/logcheck
Add a setuid logcheck to /usr/sbin/logcheck:
sudo chown logcheck /usr/sbin/logcheck
Then, the offset files get created/updated under:
/var/lib/ logcheck/ offset. var.log. <filename>
and the 'touch/chown' fix (step 2 above) is not necessary.
It is all hairy, but overall, the setuid checklog, setgid adm looks like the cleanest solution.
What is required is for all of the 3 conditions to be true:
- /usr/sbin/logcheck can read all its configs under /etc/logcheck/*/*
- /usr/sbin/logtail can write offset files under /var/lib/logcheck/*
- /usr/sbin/logtail can read files under /var/log (some of which are user:group root:adm and not world readable)
Sorry.