Logcheck devel - Feb 2005 - Bug#296096: logcheck shows the same month old logs again and again

Package: logcheck
Version: 1.2.34
Severity: normal

With the normal logcheck emails I constantly get the same reports about month
old events that are long ago (and have already been reported several times). It
seems it can't remember what it has reported already and what not.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.9tooar1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.11               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.34                  A database of system log rules for
ii  logtail          1.2.34                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii  postfix [mail-tr 2.1.5-6                 A high-performance mail transport 
ii  syslog-ng [syste 1.6.4-2                 Next generation logging daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

tags 296096 moreinfo
thanks

On Sun, 20 Feb 2005, CAiRO wrote:
> Package: logcheck
> Version: 1.2.34
> Severity: normal
> 
> With the normal logcheck emails I constantly get the same reports about
month old events that are long ago (and have already been reported several
times). It seems it can't remember what it has reported already and what
not.
> 
sounds like your file don't get rotated. (laptop or whatever)
logcheck remails a file if the the inode of the file changes,
then it can no longer assume to have the same file to check
with previsou offset.

how often does that happen?
do you have a seperate dir of logcheck messages?
could you send a typical example.
what filesystem are you using? (nfs, afs,..)?

thanks for your feedback
a++ maks

clone 296096
reassign -1 syslog-ng
severity -1 minor
retitle -1 syslog-ng logrotate conf leaves old syslog file
thanks

On Sat, 26 Feb 2005, CAiRO wrote:
> maximilian attems wrote on Sat, 26.02.2005:
> > tags 296096 moreinfo
> > thanks
> > 
> > On Sun, 20 Feb 2005, CAiRO wrote:
> > 
> > > Package: logcheck
> > > Version: 1.2.34
> > > Severity: normal
> > > 
> > > With the normal logcheck emails I constantly get the same reports
> > > about month old events that are long ago (and have already been
> > > reported several times). It seems it can't remember what it
has
> > > reported already and what not.
> > > 
> > 
> > sounds like your file don't get rotated. (laptop or whatever)
> 
> Ok, I've done some further investigation. The problem seems to be
caused
> by installing syslog-ng which changes the logrotate configuration of
> /var/log/syslog to _not_ delay compress anymore. This way, there's an
> old /var/log/syslog.0 file left which doesn't get cycled anymore.
> 
> > logcheck remails a file if the the inode of the file changes,
> > then it can no longer assume to have the same file to check
> > with previsou offset.
> 
> Though, the modification time of /var/log/syslog.0 is Dec 13th and it
> contains all the lines logcheck reports again and again in the daily
> 'System Events' emails.
> 
> ls -lc syslog*
> -rw-r-----  1 root adm  95K Feb 26 14:16 syslog
> -rw-r-----  1 root adm 347K Dec 13 06:27 syslog.0
> -rw-r-----  1 root adm  21K Feb 26 06:29 syslog.1.gz
> -rw-r-----  1 root adm  25K Feb 26 06:29 syslog.2.gz
> -rw-r-----  1 root adm  44K Feb 26 06:29 syslog.3.gz
> -rw-r-----  1 root adm  23K Feb 26 06:29 syslog.4.gz
> -rw-r-----  1 root adm  32K Feb 26 06:29 syslog.5.gz
> -rw-r-----  1 root adm  31K Feb 26 06:29 syslog.6.gz
> -rw-r-----  1 root adm  28K Feb 26 06:29 syslog.7.gz
> 
> Since the syslog.0 hasn't changed and since logcheck reports lines from
> it (not all lines, just the first half of the file) again and again I
> still think there's some kind of problem.
> 
> 
> > how often does that happen?
> 
> It happens daily with the 'System Events' emails.
> 
> > do you have a seperate dir of logcheck messages?
> > could you send a typical example.
> > what filesystem are you using? (nfs, afs,..)?
> 
> What do you mean by separate dir of logcheck messages?
> 
> Example excerpt from one of the logcheck emails:
> 
> From: logcheck at domains-und-mehr.de
> To: root at domains-und-mehr.de
> Subject: domains-und-mehr 2005-02-23 07:02 System Events
> 
>  This email is sent by logcheck. If you wish to no-longer receive it,
>  you can either deinstall the logcheck package or modify its
>  configuration file (/etc/logcheck/logcheck.conf).
> 
>  System Events
>  =-=-=-=-=-=->  Dec 12 13:35:01 domains-und-mehr courierpop3login: LOGIN
FAILED,
> ip=[::ffff:80.131.150.179] 
>  Dec 12 13:35:01 domains-und-mehr courierpop3login: LOGOUT,
> ip=[::ffff:80.131.150.179]
>  Dec 12 16:50:09 domains-und-mehr proftpd[16952]:
> domains-und-mehr.de(ACB248D9.ipt.aol.com[172.178.72.217]) - no such user
> 'anonymous'
>  Dec 12 17:08:05 domains-und-mehr proftpd[17634]:
> domains-und-mehr.de
> 
> 
> The file system on the server is ext3 with stock kernel 2.4.27 and
> syslog-ng and logcheck from testing.
> 
> Thanks for your help!
> 
> 
> regards, 
> 
> 	CAiRO
ok i guess logcheck should detect that strange situation,
there for also keeping the bug for logcheck.

i see a similar situtation on my laptop,
but strangely didn't get those duplicate logcheck mails.


# ls -l /var/log/syslog*
-rw-r-----  1 root        adm      8597785 2005-03-05 15:39 syslog
-rw-r-----  1 root        adm        94909 2004-05-13 06:39 syslog.0
-rw-r-----  1 root        adm       201773 2004-11-07 06:48 syslog.1.gz


cloning the bug to syslog-ng
as it would it be cooler if syslog-ng could get rid of
such old logs when getting installed.
(no idea if a logrotate conf could do that).


--
maks


ps please keep cc of bug report,
   that private message may have got lost..

tags 296096 pending
thanks

On Sun, 20 Feb 2005, CAiRO wrote:
> With the normal logcheck emails I constantly get the same reports about
month old events that are long ago (and have already been reported several
times). It seems it can't remember what it has reported already and what
not.
could you please test the attached patch,
works on my system and is added to current logcheck cvs.
would be nice to get feedback if it works for you.

thanks
maks
-------------- next part --------------
Index: src/logcheck
==================================================================RCS file:
/cvsroot/logcheck/logcheck/src/logcheck,v
retrieving revision 1.105
diff -u -r1.105 logcheck
--- src/logcheck	9 Mar 2005 03:10:43 -0000	1.105
+++ src/logcheck	22 Mar 2005 22:55:55 -0000
@@ -398,16 +398,18 @@
 	offsetfile="$STATEDIR/offset$(echo $file|tr / .)"
 	if [ -s $offsetfile -a -r $offsetfile ]; then
 	    if [[ $(wc -c < $file) -lt $(tail -n 1  $offsetfile) ]]; then
-		if [ -e $file.0 ]; then
 	        # assume the log is rotated by savelog(8)
+		# syslog-ng leaves old files here
+		if [ -e $file.0 -a $file.0 -nt $file.1.gz ]; then
 		    debug "Running logtail on rotated: $file.0"
 		    $LOGTAIL -f $file.0 -o $offsetfile $LOGTAIL_OPTS > \
 			$TMPDIR/logoutput/$(basename $file) 2>&1 \
 			|| error "Could not run logtail or save output"
 		    rm -f $offsetfile \
 		        || error "Could not remove $offsetfile"
-		elif [ -e $file.1 ]; then
 		# assume the log is rotated by logrotate(8)
+		# should also probably check if file is still fresh
+		elif [ -e $file.1 ]; then
 		    debug "Running logtail on rotated: $file.1"
 		    $LOGTAIL -f $file.1 -o $offsetfile $LOGTAIL_OPTS > \
 			$TMPDIR/logoutput/$(basename $file) 2>&1 \

Processing commands for control at bugs.debian.org:
> tags 296096 pending
Bug#296096: logcheck shows the same month old logs again and again
There were no tags set.
Tags added: pending
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Your message dated Wed, 30 Mar 2005 21:17:08 -0500
with message-id <E1DGpF6-0002FN-00 at newraff.debian.org>
and subject line Bug#296096: fixed in logcheck 1.2.36
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 20 Feb 2005 09:29:25
+0000
>From dev.null at gmx.net Sun Feb 20 01:29:25 2005
Return-path: <dev.null at gmx.net>
Received: from dsl-084-057-111-108.arcor-ip.net (tooar) [84.57.111.108] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D2nP3-0000bK-00; Sun, 20 Feb 2005 01:29:25 -0800
Received: by tooar (Postfix, from userid 1000)
	id 721D2ABFC2; Sun, 20 Feb 2005 10:28:53 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: CAiRO <dev.null at gmx.net>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: logcheck shows the same month old logs again and again
X-Mailer: reportbug 3.2
Date: Sun, 20 Feb 2005 10:28:52 +0100
Message-Id: <20050220092853.721D2ABFC2 at tooar>
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: logcheck
Version: 1.2.34
Severity: normal

With the normal logcheck emails I constantly get the same reports about month
old events that are long ago (and have already been reported several times). It
seems it can't remember what it has reported already and what not.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.9tooar1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages logcheck depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  cron             3.0pl1-86               management of regular background p
ii  debconf [debconf 1.4.30.11               Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  lockfile-progs   0.1.10                  Programs for locking and unlocking
ii  logcheck-databas 1.2.34                  A database of system log rules for
ii  logtail          1.2.34                  Print log file lines that have not
ii  mailx            1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii  postfix [mail-tr 2.1.5-6                 A high-performance mail transport 
ii  syslog-ng [syste 1.6.4-2                 Next generation logging daemon

-- debconf information:
  logcheck/changes:
* logcheck/install-note:

---------------------------------------
Received: (at 296096-close) by bugs.debian.org; 31 Mar 2005 02:25:27
+0000
>From katie at ftp-master.debian.org Wed Mar 30 18:25:27 2005
Return-path: <katie at ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DGpN8-00071t-00; Wed, 30 Mar 2005 18:25:26 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DGpF6-0002FN-00; Wed, 30 Mar 2005 21:17:08 -0500
From: Todd Troxell <ttroxell at debian.org>
To: 296096-close at bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#296096: fixed in logcheck 1.2.36
Message-Id: <E1DGpF6-0002FN-00 at newraff.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Wed, 30 Mar 2005 21:17:08 -0500
Delivered-To: 296096-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 3

Source: logcheck
Source-Version: 1.2.36

We believe that the bug you reported is fixed in the latest version of
logcheck, which is due to be installed in the Debian FTP archive:

logcheck-database_1.2.36_all.deb
  to pool/main/l/logcheck/logcheck-database_1.2.36_all.deb
logcheck_1.2.36.dsc
  to pool/main/l/logcheck/logcheck_1.2.36.dsc
logcheck_1.2.36.tar.gz
  to pool/main/l/logcheck/logcheck_1.2.36.tar.gz
logcheck_1.2.36_all.deb
  to pool/main/l/logcheck/logcheck_1.2.36_all.deb
logtail_1.2.36_all.deb
  to pool/main/l/logcheck/logtail_1.2.36_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 296096 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Todd Troxell <ttroxell at debian.org> (supplier of updated logcheck
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wednesday, 30 Mar 2005 20:04:00 -0600
Source: logcheck
Binary: logcheck logtail logcheck-database
Architecture: source all
Version: 1.2.36
Distribution: unstable
Urgency: low
Maintainer: Debian logcheck Team <logcheck-devel at
lists.alioth.debian.org>
Changed-By: Todd Troxell <ttroxell at debian.org>
Description: 
 logcheck   - Mails anomalies in the system logfiles to the administrator
 logcheck-database - A database of system log rules for the use of log checkers
 logtail    - Print log file lines that have not been read
Closes: 295560 296096 298291 301415
Changes: 
 logcheck (1.2.36) unstable; urgency=low
 .
   jamie:
   * Update rules for gps 1.0>.
   * Add/update rules for innd.
   maks:
   * Add harmless pdns rule at server level.
   * Add rules for cups-lpd at level server.
   * Add violations.ignore.d/logcheck-dcc for the nightly dccifd reporting.
   * Add rule ignore.d.server/kernel for printer out of paper.
     (Closes: #298291)
   * Add one more apm rule for useless gdm logout message.
   * Add rules for 2 harmless dhcpd and dhclient messages.
   * Add cvsd, pam rules from Peter Palfrader <weasel at debian.org>.
   * Add ssh rule for timeout before authentication.
   * Check time of rotated logfile against already gzipped logfile.
     syslog-ng leaves old syslog.0 logfile in /var/log. (Closes: #296096)
   todd:
   * Add support for warnings in report
   * Update copyright dates
   * Warn on invalid regex (Closes: #295560)
   * Update udev for directories (Matt Brubeck) (Closes: #301415)
Files: 
 413fc7df7619779bf5be7169dd3f16a0 703 admin optional logcheck_1.2.36.dsc
 7d0502bd49d96f15c75350b400d31d47 92454 admin optional logcheck_1.2.36.tar.gz
 1ffd732d134b16d85dac2098dbdb1057 43720 admin optional logcheck_1.2.36_all.deb
 27c54567364a981400d2c6fed97e4473 60124 admin optional
logcheck-database_1.2.36_all.deb
 424e9b589413f54e8f978ceac3289289 26646 admin optional logtail_1.2.36_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCS1va4u3oQ3FHP2YRAkZ1AKCwzmDPnTpaCMUDtXvwWMfYfY7PGQCePwly
+/QqD7WsxiPC6EzHE9ZIvvs=1//C
-----END PGP SIGNATURE-----