Hi, # uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box. I ran logwatch at the command line: logwatch --detail medium --mailto root at fqdn.example.com but still no email. As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl Where should I start looking to figure out why logwatch seems not to be doing its thing? Thanks in advance, -Ray
On Thu, Aug 20, 2009 at 3:55 PM, Ray Leventhal <centos at swhi.net> wrote:> I noticed a few days ago that I'm not getting my logwatch emails to the > root account any longer, and while I've definitely been applying updates > from base, no other changes have happened on this box.I'd check the /var/spool/cron log to see if it's actually running properly. After that I'd check the maillogs to see if there was a delivery problem.> > I ran logwatch at the command line: > > logwatch --detail medium --mailto root at fqdn.example.comTry that again, but tail -f /var/log/maillog in another window (if there's not alot of mail traffic on that host) to see if it's generating any mail logs> > but still no email. > > As expected, /etc/cron.daily has the following entry: > lrwxrwxrwx ? 1 root root ? 39 Jul 30 ?2008 0logwatch -> > /usr/share/logwatch/scripts/logwatch.pl >What are the permissions on /usr/share/logwatch/scripts/logwatch.pl? Check to see if any updates were applied to logwatch recently (yum info or rpm -qi logwatch) and check your logwatch config files to see if anything changed there. Hope this helps, Cliff
On Thu, Aug 20, 2009 at 3:55 PM, Ray Leventhal<centos at swhi.net> wrote:> I noticed a few days ago that I'm not getting my logwatch emails to the > root account any longer, and while I've definitely been applying updates > from base, no other changes have happened on this box. > > Where should I start looking to figure out why logwatch seems not to be > doing its thing?Are any emails going out? Perhaps sendmail died? If it were me, I would start by checking the mail queue (# mailq), the mail log (/var/adm/maillog), and the sendmail mail transport agent (# service sendmail status). I use a default setup which requires sendmail to be running for delivery of mail to root at locahost. gd
Hi, On Thu, Aug 20, 2009 at 16:55, Ray Leventhal<centos at swhi.net> wrote:> I ran logwatch at the command line: > logwatch --detail medium --mailto root at fqdn.example.com > but still no email.Can you send e-mails using other programs on that machine? For instance: $ echo test | mail -s test root at fqdn.example.com Do you receive the test e-mail after sending it like that? If not, that's where you should look... HTH, Filipe
> I noticed a few days ago that I'm not getting my logwatch > emails to the root account any longer, and while I've > definitely been applying updates from base, no other changes > have happened on this box. > > I ran logwatch at the command line: > > logwatch --detail medium --mailto root at fqdn.example.com > > but still no email. >Try sending it to an email outside of your domain like mytest at gmail.com or whatever your mail is. More than likely you reset or started some kind of program like spam assassin. There are enough bad ips, urls, etc to just make it get killed by spamassassin or any other kind of software for mail. Try whitelisting it in procmail or whatever you are using. Worked for me
Ray Leventhal wrote:> Hi, > > # uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue > Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux > > I noticed a few days ago that I'm not getting my logwatch emails to the > root account any longer, and while I've definitely been applying updates > from base, no other changes have happened on this box. > > I ran logwatch at the command line: > > logwatch --detail medium --mailto root at fqdn.example.com > > but still no email. > > As expected, /etc/cron.daily has the following entry: > lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> > /usr/share/logwatch/scripts/logwatch.pl > > Where should I start looking to figure out why logwatch seems not to be > doing its thing? > > Thanks in advance, > -Ray > >Thanks to all who replied. Mystery is nearly solved - I took the suggestions posted here.> $ echo test | mail -s test root at fqdn.example.com >sent email to root just fine. I tried it with the FQDN, localhost and just root...all worked (I thought they would as this is a public facing mail server and works for hundreds of customers, but still...one tries to eliminate stuff :)>>> > >>> > I ran logwatch at the command line: >>> > >>> > logwatch --detail medium --mailto root at fqdn.example.com >>> >> >> Try that again, but tail -f /var/log/maillog in another window (if >> there's not alot of mail traffic on that host) to see if it's >> generating any mail logs >> >>Here's what told the tale. Yes, I saw an entry while running #tail -f /var/log/maillog|grep root But what was seen was interesting: Aug 21 12:16:25 <> MailScanner[12390]: Message n7LGGNVM013365 from 127.0.0.1 (root at fqdn.example.com) to fqdn.example.com is too big for spam checks (206288 > 150000 bytes) Then, checking the root account in (al)pine, this:> Date: Fri, 21 Aug 2009 12:16:26 -0400 > From: MailScanner <postmaster at fqdn.example.com> > To: postmaster at fqdn.example.com > Subject: Virus Detected > > The following e-mails were found to have: Virus Detected > > Sender: root at fqdn.example.com > IP Address: 127.0.0.1 > Recipient: root at fqdn.example.com > Subject: Logwatch for fqdn.example.com (Linux) > MessageID: n7LGGNVM013365 > Quarantine: > Report: Clamd: message was infected: Email.Phishing.DblDom-124 FOUND > > Full headers are: > > X-ClientAddr: 127.0.0.1 > Return-Path: <~Ag> > Received: from fqdn.example.com (localhost.localdomain [127.0.0.1]) > by fqdn.example.com (8.13.8/8.13.8) with ESMTP id n7LGGNVM013365 > for <root at fqdn.example.com>; Fri, 21 Aug 2009 12:16:25 -0400 > Full-Name: root > Received: (from root at localhost) > by fqdn.example.com (8.13.8/8.13.8/Submit) id n7LGEbuj012759; > Fri, 21 Aug 2009 12:14:37 -0400 > Date: Fri, 21 Aug 2009 12:14:37 -0400 > Message-Id: <200908211614.n7LGEbuj012759 at fqdn.example.com> > To: root at fqdn.example.com > From: root at fqdn.example.com > Subject: Logwatch for fqdn.example.com (Linux) > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset="iso-8859-1" > > > -- > MailScanner > Email Virus Scanner > www.mailscanner.info > >So while I now understand that they've been running on schedule and why I've not been seeing them...I still am in a bit of a quandry as I would *like* to receive them. Should Mailscanner's threshold be addressed or is there something I'm missing here? Thanks for the help so far and for any forthcoming. -Ray
Ray Leventhal wrote:> Hi, > > # uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue > Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux > > I noticed a few days ago that I'm not getting my logwatch emails to the > root account any longer, and while I've definitely been applying updates > from base, no other changes have happened on this box. > > I ran logwatch at the command line: > > logwatch --detail medium --mailto root at fqdn.example.com > > but still no email. > > As expected, /etc/cron.daily has the following entry: > lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> > /usr/share/logwatch/scripts/logwatch.pl > > Where should I start looking to figure out why logwatch seems not to be > doing its thing? > > Thanks in advance, > -Ray > >Thanks again to all who replied. The situation seems to have remedied itself with a log rotation (scheduled). Once the offending stuff was no longer part of the body of the logwatch emails, Mailscanner/clamd had nothing to complain about and this morning I find the weekend's logwatch emails nestled comfortably in root's inbox. Next step for me is finding where to allow logwatch emails regardless of their contents. Again, thanks to all, -Ray