Logcheck devel - Sep 2004 - Bug#271410: logcheck: avoid missed messages when logs rotate

Package: logcheck
Version: 1.2.25
Severity: wishlist


According to crontab on my system, logcheck runs at 2 minutes after the hour,
but logrotate runs at 25 minutes after the hour.  As a result, there is a 23
minute window each day where logcheck does not process log messages (for daily
rotated logs).  I would like something that eliminates this window.  One
solution is to add the .0 or .1 version of all the filenames in
logcheck.logfiles, but then most messages get processed twice.  Another parital
solution is to insert the following right before logrotate executes in
/etc/cron.daily/logrotate:
	/usr/bin/sudo -u logcheck /usr/sbin/logcheck
There's still a window for the second solution, but it's much smaller. 
Is there a better way?

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.3                Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  exim4            4.34-4sarge1            An MTA (Mail Transport Agent)
ii  exim4-daemon-hea 4.34-4sarge1            Exim (v4) with extended features, 
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.25                  A database of system log rules for
ii  logtail          1.2.25                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
ii  syslog-ng [syste 1.6.4-1                 Next generation logging daemon

-- debconf information excluded

Your message dated Mon, 13 Sep 2004 23:45:44 +0200
with message-id <20040913214544.GD1978 at stro.at>
and subject line [Logcheck-devel] Bug#271410: logcheck: avoid missed messages
when logs rotate
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Sep 2004 01:48:10
+0000
>From ross at homemail.org Sun Sep 12 18:48:10 2004
Return-path: <ross at homemail.org>
Received: from ms-smtp-04.texas.rr.com [24.93.47.43] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1C6fwv-0003Tf-00; Sun, 12 Sep 2004 18:48:09 -0700
Received: from johnson.ethernet.homemail.org (cs6669119-96.satx.rr.com
[66.69.119.96])
	by ms-smtp-04.texas.rr.com (8.12.10/8.12.7) with ESMTP id i8D1m7t1011559
	for <submit at bugs.debian.org>; Sun, 12 Sep 2004 20:48:07 -0500 (CDT)
Received: from ross by johnson.ethernet.homemail.org with local (Exim 4.34)
	id 1C6fws-0005hW-W3; Sun, 12 Sep 2004 20:48:07 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ross Johnson <ross at homemail.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: logcheck: avoid missed messages when logs rotate
X-Mailer: reportbug 2.63
Date: Sun, 12 Sep 2004 20:48:06 -0500
Message-Id: <E1C6fws-0005hW-W3 at johnson.ethernet.homemail.org>
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: logcheck
Version: 1.2.25
Severity: wishlist


According to crontab on my system, logcheck runs at 2 minutes after the hour,
but logrotate runs at 25 minutes after the hour.  As a result, there is a 23
minute window each day where logcheck does not process log messages (for daily
rotated logs).  I would like something that eliminates this window.  One
solution is to add the .0 or .1 version of all the filenames in
logcheck.logfiles, but then most messages get processed twice.  Another parital
solution is to insert the following right before logrotate executes in
/etc/cron.daily/logrotate:
	/usr/bin/sudo -u logcheck /usr/sbin/logcheck
There's still a window for the second solution, but it's much smaller. 
Is there a better way?

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.3                Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  exim4            4.34-4sarge1            An MTA (Mail Transport Agent)
ii  exim4-daemon-hea 4.34-4sarge1            Exim (v4) with extended features, 
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.25                  A database of system log rules for
ii  logtail          1.2.25                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  perl             5.8.4-2                 Larry Wall's Practical
Extraction
ii  syslog-ng [syste 1.6.4-1                 Next generation logging daemon

-- debconf information excluded

---------------------------------------
Received: (at 271410-done) by bugs.debian.org; 13 Sep 2004 21:45:48
+0000
>From max at stro.at Mon Sep 13 14:45:48 2004
Return-path: <max at stro.at>
Received: from baikonur.stro.at [213.239.196.228] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1C6ydv-0003vO-00; Mon, 13 Sep 2004 14:45:48 -0700
Received: from localhost (localhost [127.0.0.1])
	by baikonur.stro.at (Postfix) with ESMTP id 817185C06C
	for <271410-done at bugs.debian.org>; Mon, 13 Sep 2004 23:45:44 +0200
(CEST)
Received: from baikonur.stro.at ([127.0.0.1])
	by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 12409-09 for <271410-done at bugs.debian.org>;
	Mon, 13 Sep 2004 23:45:43 +0200 (CEST)
Received: from sputnik (M936P023.adsl.highway.telekom.at [62.47.148.247])
	by baikonur.stro.at (Postfix) with ESMTP id AF5D65C034
	for <271410-done at bugs.debian.org>; Mon, 13 Sep 2004 23:45:42 +0200
(CEST)
Received: from max by sputnik with local (Exim 4.34)
	id 1C6yds-0002LR-Mw
	for 271410-done at bugs.debian.org; Mon, 13 Sep 2004 23:45:44 +0200
Date: Mon, 13 Sep 2004 23:45:44 +0200
From: maks attems <debian at sternwelten.at>
To: 271410-done at bugs.debian.org
Subject: Re: [Logcheck-devel] Bug#271410: logcheck: avoid missed messages when
logs rotate
Message-ID: <20040913214544.GD1978 at stro.at>
References: <E1C6fws-0005hW-W3 at johnson.ethernet.homemail.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E1C6fws-0005hW-W3 at johnson.ethernet.homemail.org>
User-Agent: Mutt/1.5.6+20040722i
Sender: maximilian attems <max at stro.at>
X-Virus-Scanned: by Amavis (ClamAV) at stro.at
Delivered-To: 271410-done at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

On Sun, 12 Sep 2004, Ross Johnson wrote:
> According to crontab on my system, logcheck runs at 2 minutes after the
hour, but logrotate runs at 25 minutes after the hour.  As a result, there is a
23 minute window each day where logcheck does not process log messages (for
daily rotated logs).  I would like something that eliminates this window.  One
solution is to add the .0 or .1 version of all the filenames in
logcheck.logfiles, but then most messages get processed twice.  Another parital
solution is to insert the following right before logrotate executes in
/etc/cron.daily/logrotate:
> 	/usr/bin/sudo -u logcheck /usr/sbin/logcheck
> There's still a window for the second solution, but it's much
smaller.  Is there a better way?
well logcheck does work with logrotate file,
it won't work if you rotate twice before invoking logcheck,
if you wish to improve current implementation.

take a look at the logoutput() function in logcheck
or find a better way to do in logtail directly.

closing your bug report, as this bug is fictious.
anyway thanks for your feedback.

--
maks