[SOLVED] incron problem

battles · 11-14-2014, 09:48 AM

I am using incron to monitor the /var/log/auth.log file with the incrontab -e parameter below. incron is firing the icronBanSSH.sh correctly however, when an access_log is rolled over and compressed and a new empty access_log is created, incron no longer fires cronBanSSH.sh. It is as if incron looses track of the (new) empty access_log. Has anyone had this problem? If I go and do a incrontab -e and modify the incron file, it starts firing again. I guess I could kill and restart incron when I detect a new access_log file has been created, but this seems to be a bug in incron.

/var/log/auth.log IN_MODIFY /etc/SSH404Block/icronBanSSH.sh

Any other suggestions?
Thanks.

unSpawn · 11-15-2014, 07:47 PM

It's about tracking the file descriptor the log file uses. If you use logrotate then you could use the post section to restart things. BTW, is there a particular reason why you're using such a kludge instead of say fail2ban?

battles · 11-15-2014, 07:59 PM

Thanks. I'll look into this 'post section'. Right now I am killing incron when logrotate happens and restarting one minute after.
I have written my own fail2ban routine that suits our needs better and incron is used to start it upon log changes.