Logcheck devel - Feb 2011 - Bug#614318: logcheck sends an email even when there are no entries after filtering

Package: logcheck
Version: 1.3.13
Severity: normal


I have added filter rules to minimize the log spam I see (since the point of
logcheck for me is to be able to see only important messages), but I am getting
an email every hour, even though the email contains only:


This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-
-- System Information:
Debian Release: wheezy/sid
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'testing'), (100,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages logcheck depends on:
ii  adduser                       3.112+nmu2 add and remove users and groups
ii  cron                          3.0pl1-116 process scheduling daemon
ii  exim4-daemon-light [mail-tran 4.72-6     lightweight Exim MTA (v4) daemon
ii  lockfile-progs                0.1.15     Programs for locking and unlocking
ii  logtail                       1.3.13     Print log file lines that have not
ii  mime-construct                1.11       construct/send MIME messages from 
ii  rsyslog [system-log-daemon]   5.7.3-1    enhanced multi-threaded syslogd

Versions of packages logcheck recommends:
ii  logcheck-database             1.3.13     database of system log rules for t

Versions of packages logcheck suggests:
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
u'/etc/logcheck/logcheck.logfiles'

-- no debconf information

Hi.

This has just started happening on one of our virtual machines running (VM) on
an ESXi server.

Logcheck started sending me the same empty emails after the VM was rebooted
early Feb 20th and some packages were upgraded
immediately afterwards.

I don't know if it was one of the updates below, or if the reboot triggered
it somehow (putting some other package that was
previously upgraded into effect).

The version of logcheck in question is:

||/ Name                        Version                     Description
+++-===========================-===========================-=====================================================================ii
logcheck                    1.3.13                      mails anomalies in the
system logfiles to the administrator

I am also running logcheck version 1.3.13 on a number of other VMs that are not
exhibiting the problem.
However these VMs have not been rebooted and haven't had the newer versions
of the packages below installed on them.
They are in production use so can't mess with them at this stage.
But I can work with the VM that is exhibiting this problem if you need me to try
anything.

The packages that were upgraded after the reboot were:

||/ Name                        Version                     Description
+++-===========================-===========================-=====================================================================ii
bash                        4.1-3                       The GNU Bourne Again
SHell
ii  bash-completion             1:1.3-1                     programmable
completion for the bash shell
ii  groff-base                  1.21-4                      GNU troff
text-formatting system (base system components)
ii  iproute                     20110107-2                  networking and
traffic control tools
ii  libgeoip1                   1.4.7~beta10+dfsg-4         A non-DNS
IP-to-country resolver library
ii  libgnutls26                 2.10.4-2                    the GNU TLS library
- runtime library
ii  libgpg-error0               1.10-0.3                    library for common
error values and messages in GnuPG components
ii  libpipeline1                1.1.0-1                     pipeline
manipulation library
ii  libsensors4                 1:3.2.0-1                   library to read
temperature/voltage/fan sensors
ii  libusb-0.1-4                2:0.1.12-17                 userspace USB
programming library
ii  libwireshark-data           1.4.3-2                     a network packet
dissection library -- data files
ii  libwireshark0               1.4.3-2                     a network packet
dissection library -- shared library
ii  libwiretap0                 1.4.3-2                     a network packet
capture library -- shared library
ii  libwsutil0                  1.4.3-2                     network packet
dissection utilities library -- shared library
ii  libx11-6                    2:1.4.1-4                   X11 client-side
library
ii  libx11-data                 2:1.4.1-4                   X11 client-side
library
ii  libxcb-render0              1.7-2                       X C Binding, render
extension
ii  libxcb1                     1.7-2                       X C Binding
ii  libxext6                    2:1.2.0-2                   X11 miscellaneous
extension library
ii  login                       1:4.1.4.2+svn3283-3         system login tools
ii  man-db                      2.5.9-4                     on-line manual pager
ii  passwd                      1:4.1.4.2+svn3283-3         change and
administer password and group data
ii  rsyslog                     5.7.3-1                     enhanced
multi-threaded syslogd
ii  tshark                      1.4.3-2                     network traffic
analyzer - console version
ii  ttf-dejavu                  2.32-1                      Metapackage to pull
in ttf-dejavu-core and ttf-dejavu-extra
ii  ttf-dejavu-core             2.32-1                      Vera font family
derivate with additional characters
ii  ttf-dejavu-extra            2.32-1                      Vera font family
derivate with additional characters
ii  wireshark-common            1.4.3-2                     network traffic
analyzer - common files

Regards,

-- 
----------
Jim Barber
DDI Health

I have found the package that is at fault.

It was the upgrade of rsyslog from version 4.6.4-2 to 5.7.3-1
As per rsyslog bug #612829 the daemon no longer strips off trailing blanks from
the syslog output.

In my /var/log/syslog file there are blank lines every time my snmp daemon logs
something:
eg.

	Feb 21 13:28:51 monitor snmpd[1310]: Connection from UDP:
[10.128.0.1]:37645->[10.128.0.6]

	Feb 21 13:28:51 monitor snmpd[1310]: Connection from UDP:
[10.128.0.1]:37645->[10.128.0.6]

	Feb 21 13:28:51 monitor snmpd[1310]: Connection from UDP:
[10.128.0.1]:37645->[10.128.0.6]

Instead of:

	Feb 21 13:28:51 monitor snmpd[1310]: Connection from UDP:
[10.128.0.1]:37645->[10.128.0.6]
	Feb 21 13:28:51 monitor snmpd[1310]: Connection from UDP:
[10.128.0.1]:37645->[10.128.0.6]
	Feb 21 13:28:51 monitor snmpd[1310]: Connection from UDP:
[10.128.0.1]:37645->[10.128.0.6]

The fix is to add the following pattern to the ignore.d.server list for
logcheck:

	^\s*$

This stops it reporting on the blank lines, or lines that consist of only
white-space.

Regards,

--
----------
Jim Barber
DDI Health