Logcheck devel - Nov 2004 - logtail ignoring information in rotated logs

Hi gang,

While writing a script that uses logtail, I noticed that logtail assumes
nothing interesting happened between its last invocation and the
rotation, which means that exciting bits of data could be lost.

This seems a bit dodgy (correct me if I'm wrong about how it works!) so
I made a dodgy patch to logtail that checks for the existence of
$logfile.0, which on Debian seems to always be created for the
interesting stuff in /var/log.  If it exists and its inode matches that
in the state file, dump out any changes and then carry on with the new
file. This approach seems a little messy, but it works for me.

From the discussion in bug #271410, I understand that logcheck does much
the same thing in logoutput(), so this is not really a fault with the
whole package, but it seems more logical to me to perform the check in
logtail itself, especially as other people don't seem to have considered
the implications. The fiaif package, for example, includes a script
(fiaif-scan) that invokes logtail to examine syslog, but does not check
rotated logs.

Joel


--- /usr/sbin/logtail   2004-09-23 06:06:24.000000000 +0930
+++ logtailng.pl        2004-11-11 02:10:55.000000000 +1030
@@ -21,7 +21,7 @@

 use strict;
 use warnings;
-my ($size);
+my ($size, $rotsize);
 use Getopt::Std;
 my %opts = ();

@@ -52,7 +52,7 @@
     exit 66;
 }

-my ($inode, $ino, $offset) = (0, 0, 0);
+my ($inode, $ino, $offset, $rotatedino) = (0, 0, 0, 0);

 unless (not $offsetfile) {
     if (open(OFFSET, $offsetfile)) {
@@ -82,6 +82,22 @@
             print "*************** This could indicate tampering.\n";
         }
     }
+
+    # Check for the existence of a rotated log
+
+    if ((undef,$rotatedino,undef,undef,undef,undef,undef,$rotsize) = stat
"$logfile.0") {
+        if ($inode == $rotatedino && $offset < $rotsize) {
+            unless (open(LOGFILEROT, "$logfile.0")) {
+               print "File $logfile.0 cannot be read.\n";
+               exit 66;
+            }
+            seek(LOGFILEROT, $offset, 0);
+            while (<LOGFILEROT>) {
+                print $_;
+            }
+            close LOGFILEROT;
+        }
+    }
     if ($inode != $ino || $offset > $size) {
         $offset = 0;
     }

hello :)

On Thu, 11 Nov 2004, Joel Williams wrote:
> Hi gang,
> 
> While writing a script that uses logtail, I noticed that logtail assumes
> nothing interesting happened between its last invocation and the
> rotation, which means that exciting bits of data could be lost.
thanks for bringing that up!
yes it's a TODO item of the logcheck team.
 
> This seems a bit dodgy (correct me if I'm wrong about how it works!) so
> I made a dodgy patch to logtail that checks for the existence of
> $logfile.0, which on Debian seems to always be created for the
> interesting stuff in /var/log.  If it exists and its inode matches that
> in the state file, dump out any changes and then carry on with the new
> file. This approach seems a little messy, but it works for me.
as you indicated below you may want to read the code in logcheck 
logouput(),  as it also takes care of logs rotated by logrotate.
this was enhanced in #153669.
 
> From the discussion in bug #271410, I understand that logcheck does much
> the same thing in logoutput(), so this is not really a fault with the
> whole package, but it seems more logical to me to perform the check in
> logtail itself, especially as other people don't seem to have
considered
> the implications. The fiaif package, for example, includes a script
> (fiaif-scan) that invokes logtail to examine syslog, but does not check
> rotated logs.
well we once broke fiaf by changing the args needed to invoke logtail,
so i would like to hear input from its maintainer,
but i guess he will be happy. added to cc.

 
> --- /usr/sbin/logtail   2004-09-23 06:06:24.000000000 +0930
> +++ logtailng.pl        2004-11-11 02:10:55.000000000 +1030
> @@ -21,7 +21,7 @@
> 
>  use strict;
>  use warnings;
> -my ($size);
> +my ($size, $rotsize);
>  use Getopt::Std;
>  my %opts = ();
> 
> @@ -52,7 +52,7 @@
>      exit 66;
>  }
> 
> -my ($inode, $ino, $offset) = (0, 0, 0);
> +my ($inode, $ino, $offset, $rotatedino) = (0, 0, 0, 0);
> 
>  unless (not $offsetfile) {
>      if (open(OFFSET, $offsetfile)) {
> @@ -82,6 +82,22 @@
>              print "*************** This could indicate
tampering.\n";
>          }
>      }
> +
> +    # Check for the existence of a rotated log
> +
> +    if ((undef,$rotatedino,undef,undef,undef,undef,undef,$rotsize) = stat
"$logfile.0") {
i always wondered how such aline can be considered to be sane.
is perl stat() so difficult to access?
> +        if ($inode == $rotatedino && $offset < $rotsize) {
> +            unless (open(LOGFILEROT, "$logfile.0")) {
> +               print "File $logfile.0 cannot be read.\n";
> +               exit 66;
> +            }
> +            seek(LOGFILEROT, $offset, 0);
> +            while (<LOGFILEROT>) {
> +                print $_;
> +            }
> +            close LOGFILEROT;
> +        }
> +    }
>      if ($inode != $ino || $offset > $size) {
>          $offset = 0;
>      }
rest looks nice to me once lograte(8) gets also added.
--
maks