karmic regression: logcheck prints CRON CMD lines

Bug #463471 reported by Matthias Andree on 2009-10-29
66
This bug affects 11 people
Affects Status Importance Assigned to Milestone
logcheck (Debian)
Fix Released
Unknown
logcheck (Ubuntu)
Medium
Unassigned
Karmic
Medium
Loïc Minier
rsyslog (Ubuntu)
Wishlist
Unassigned
Karmic
Undecided
Unassigned

Bug Description

logcheck reports all logs from CRON since the switch to rsyslog; the regexp requires /usr/sbin/cron or /USR/SBIN/CRON, but rsyslog logs cron or CRON

Impact: installs with logcheck get emails very frequently (for each matching CRON log)

Bug was addressed by updating the RE to make the /usr/sbin part optional.

TEST CASE:
Install logcheck, wait for some CRON entries in your syslog, wait for logcheck's cron to run, see whether you get an email.

Regression potential: People with local changes need to merge conffiles.

THIS SRU REQUEST IS BEING TRACKED IN MAIN BUG #463471.

Trebacz (david-trebacz) wrote :

I'm also having the same issue after an upgrade to 9.10 and I use only the server profile. I'd suggest that the fix is applied to the /etc/logcheck/ignore.d.server/cron

Nov 1 06:17:01 host1 CRON[27038]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Nov 1 06:25:01 host1 CRON[27643]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Nov 1 06:47:01 host1 CRON[29299]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ))
Nov 1 06:52:01 host1 CRON[29678]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ))
Nov 1 07:02:01 host1 CRON[30439]: (logcheck) CMD ( if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)

Trebacz (david-trebacz) wrote :

The entries used to look like:

Oct 26 04:02:01 host1 /USR/SBIN/CRON[7693]: (logcheck) CMD ( if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)
Oct 26 04:10:01 host1 /USR/SBIN/CRON[9302]: (root) CMD ([ -x /usr/sbin/update-motd ] && /usr/sbin/update-motd 2>/dev/null)
Oct 26 04:17:01 host1 /USR/SBIN/CRON[9999]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

Daniel Hahler (blueyed) on 2009-11-01
tags: added: karmic regression-release
Changed in logcheck (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Trebacz (david-trebacz) wrote :

The change in the 1st line in the /etc/logcheck/ignore.d.paranoid/cron file took care of my problem. I changed it from:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ /USR/SBIN/CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$

to

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$

Worked like a charm. Never realized that my version of logcheck was utilizing the paranoid ignores. There are a couple other entries in the file that have the path in them, but my routine messages don't seem to hit them -or they are still being logged with the path.

Matijs van Zuijlen (matijs) wrote :

Trebacz, as I understand it if you use the server profile, ignores from both server and paranoid are used. So server ignores anything that paranoid ignores, and workstation ignores anything that server or paranoid ignore.

Richard Ayotte (rich-ayotte) wrote :

I get messages like the following all day long.

Nov 30 05:09:01 polarbear CRON[13941]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Nov 30 05:17:01 polarbear CRON[13973]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Nov 30 05:39:01 polarbear CRON[14056]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Nov 30 06:02:01 polarbear CRON[14127]: (logcheck) CMD ( if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi)

Adding ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \([_[:alnum:]-]+\) CMD \(.*\)$ to /etc/logcheck/ignore.d.paranoid/cron fixed the problem.

Klaus Purer (klausi) wrote :

Thanks Trebacz, your solution works for me.

Loïc Minier (lool) wrote :

I think that's due to the switch to rsyslog.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logcheck - 1.3.5ubuntu1

---------------
logcheck (1.3.5ubuntu1) lucid; urgency=low

  * rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
    pathnames to cron; apparently a difference between syslog and rsyslog;
    LP: #463471.
  * rulefiles/linux/ignore.d.paranoid/sysklogd: more specific matching of
    upstream version and optional Debian/Ubuntu revision (DEBRELEASE), also
    allow all allowed chars in revision fixes matching of Ubuntu versions;
    LP: #116773.
 -- Loic Minier <email address hidden> Thu, 21 Jan 2010 23:09:45 +0100

Changed in logcheck (Ubuntu):
status: Triaged → Fix Released
Loïc Minier (lool) on 2010-01-21
Changed in rsyslog (Ubuntu):
status: New → Confirmed
Changed in logcheck (Debian):
status: Unknown → New
Changed in logcheck (Debian):
status: New → Fix Released
David Kågedal (dkagedal) wrote :

Why isn't this fixed in karmic?

Because it's not a security related bug!

Loïc Minier (lool) on 2010-02-25
Changed in logcheck (Ubuntu Karmic):
status: New → In Progress
assignee: nobody → Loïc Minier (lool)
importance: Undecided → Medium
Loïc Minier (lool) on 2010-02-25
Changed in rsyslog (Ubuntu Karmic):
status: New → Won't Fix
description: updated
Loïc Minier (lool) wrote :
description: updated
Loïc Minier (lool) wrote :

@Ralf: we actually have a process to fix high impact bugs in stable releases which are not security bugs, see:
https://wiki.ubuntu.com/StableReleaseUpdates

of course we can't fix all bugs in stable releases, and we prefer focusing on bugs of the next release to have as little as possible there; the process for stable updates is a bit time consuming too (necessarily so).

John Dong (jdong) wrote :

The proposed debdiff seems to fix more than just the bug described in the test case, is this correct?

The contents look good to me, but please augment the bug description with additional testcases to describe how to test all the incorporated fixes, if applicable.

Also, version suffix ubuntu0.1 is preferred.

ACK from ubuntu-sru.

Loïc Minier (lool) wrote :

@John: the test cases are in the invidual bugs being closed, as suggested by pitti.

On 2/27/10 5:29 AM, Loïc Minier wrote:
> @John: the test cases are in the invidual bugs being closed, as
> suggested by pitti.
>

Thank you for the clarification. I'm all set :)

Accepted logcheck into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in logcheck (Ubuntu Karmic):
status: In Progress → Fix Committed
tags: added: verification-needed
Martin Pitt (pitti) wrote :

This doesn't look like a bug in rsyslog to me, does it?

Changed in rsyslog (Ubuntu):
status: Confirmed → Invalid
Loïc Minier (lool) wrote :

Martin, I kept the rsyslog task in case we want to have 100% identical logs when switching over to rsyslog.

Martin Pitt (pitti) wrote :

Ah, thanks; reopening then.

Changed in rsyslog (Ubuntu):
status: Invalid → Confirmed
importance: Undecided → Wishlist
Loïc Minier (lool) wrote :

Worked fine in my testing

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package logcheck - 1.2.69ubuntu0.1

---------------
logcheck (1.2.69ubuntu0.1) karmic-proposed; urgency=low

  * rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
    pathnames to cron; apparently a difference between syslog and rsyslog;
    LP: #463471.
  * rulefiles/linux/ignore.d.server/dhclient: match optional ip address;
    LP: #307847.
  * rulefiles/linux/ignore.d.server/ssh: add "disconnected by user" re in the
    "Received disconnect from" series; this now occurs frequently with recent
    OpenSSH clients; LP: #527669.
 -- Loic Minier <email address hidden> Thu, 25 Feb 2010 10:58:02 +0100

Changed in logcheck (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.