[Logcheck-users] logcheck errors after logrotate runs

Dathi Oxencroft dathi@appello.net
Mon, 4 Apr 2005 16:23:18 +1000 

--nextPart1444783.5j2psuX9KV
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi Todd.

I have identified the issue. I noticed a permission error on log.0 (below) =
and=20
an old date. (the apx date of my upgrade incidentally)

=2Drw-r-----  1 snort adm  28547 Mar 30 19:17 portscan.log
=2Drw-------  1 snort adm  13876 Feb  1 04:35 portscan.log.0
=2Drw-r-----  1 snort adm 166757 Mar 27 06:27 portscan.log.1
=2Drw-r-----  1 snort adm   2801 Mar 20 06:27 portscan.log.2.gz

I fixed that, set a daily rotate of that log and all went ok.

I wanted to wait for the weekly rotate to run before declaring victory. All=
=20
appears to be fine now. I'm still mystified as to how the permission got=20
broken at upgrade time. Odd.

Thanks for your assistance and reminder to check permissions in general.

Kind Regards
Dathi

On Tue, 29 Mar 2005 07:46 pm, Dathi Oxencroft wrote:
> Hi Todd,
>
> Yes, most strange for this to arise on the upgrade. I "usually" wait for
> stable, but oh well, impatient this year :o Doubt it would have made a
> difference.
>
> Logcheck is standard except for a couple of extra files monitored
> (/var/log/daemon.log and /var/log/snort/portscan.log) and some trims to t=
he
> rules. Logrotate is also pretty standard with a few trims to the number of
> logs kept on some files.
>
> Data as requested:
>
>
> avalon:/home/dathi# ls -l /var/lib/logcheck
> total 16
> -rw-------  1 logcheck logcheck 14 Mar 29 09:02 offset.var.log.auth.log
> -rw-------  1 logcheck logcheck 13 Mar 29 09:02 offset.var.log.daemon.log
> -rw-------  1 logcheck logcheck 13 Mar 29 01:02
> offset.var.log.snort.portscan.log
> -rw-------  1 logcheck logcheck 13 Mar 29 09:02 offset.var.log.syslog
>
> avalon:/home/dathi# ls -l /var/log/syslog
> -rw-r-----  1 root adm 41713 Mar 29 09:03 /var/log/syslog
>
> avalon:/home/dathi# getent passwd logcheck
> logcheck:x:107:107::/var/lib/logcheck:/bin/false
>
> avalon:/home/dathi# groups logcheck
> logcheck : logcheck adm
>
>
> I deleted the offsets again so logcheck is working currently. Output of a
> manually initiated logcheck -d did yield an error at the very end.
>
> D: [1112087459] Cleanup: Removing - /tmp/logcheck.Z3H6fn
> rm: cannot get current directory: Permission denied
>
> Full debug is at http://www.appello.net/mydebug/
>
> I will get you another debug of logcheck when it's not working at my
> earliest opportunity.
>
> Kind Regards
> Dathi
>
> On Tue, 29 Mar 2005 05:32 pm, Todd Troxell wrote:
> > Hi Dathi,
> >
> > On Tue, Mar 29, 2005 at 07:30:57AM +1000, Dathi Oxencroft wrote:
> > > Hello :)
> > >
> > > After upgrading recently from Woody to Sarge (which went fairly well)=
 I
> > > now have trouble with logcheck. I have been unable to track down a
> > > solution.
> > >
> > > Logcheck runs perfectly through the week until Sunday when logrotate
> > > does it's thing. I immediately start getting warning emails from
> > > logcheck that logfiles are not checked.
> >
> > Could you let me know the results of these commands:
> > ls -l /var/lib/logcheck
> > ls -l /var/log/syslog
> > getent passwd logcheck
> > groups logcheck
> >
> > Also, debugging output may help (logcheck -d)
> >
> > This is sounding like a permissions issue, but I'm curious as to how it
> > has arrisen.  Do you have any special configuration for
> > logcheck/logrotate?
> >
> > Cheers,

=2D-=20
o---------------- Dathi E Oxencroft ----- Australia ----------------:)
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=A0 MCSA, MCP, CompTIA A+ Network+
=A0If one learns from others but does not think, one will be bewildered
=A0If one thinks but does not learn from others, one will be in peril
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-Confucius
o--------- PGP key - http://www.appello.net/0x812A4FBB.txt ---------.)

--nextPart1444783.5j2psuX9KV
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBCUN1dqoduTYEqT7sRAl3rAJ9bro32fbSxaDj+byvvCQ0OBtb/AACdHDex
I+vE4lVdwfcsYUWGgtP1gBk=
=mbKB
-----END PGP SIGNATURE-----

--nextPart1444783.5j2psuX9KV--