LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-06-2005, 02:52 PM   #1
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Rep: Reputation: 0
logcheck does not read logfiles!


Hi!

Im running a Debian 3.1 (Sarge) server box and recently I implemented Logcheck to my system. The problem is that always when logcheck runs I get 2 error-mails. I dont know what to do about this problem.

The content of the first of the two eror mails looks something like this:

if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/lib/logcheck>
X-Cron-Env: <LOGNAME=logcheck>

sort: misslyckades öppna: /tmp/logcheck.vHYtoc/logoutput/*: Filen eller katalogen finns inte
# means in english: that the mentioned file could not be opened and that the #file does not exist.


And the content of the second of the two error-mails looks something like this:

Warning: If you are seeing this message, your log files may not have been
checked!

Details:
E: File could not be read: /var/log/auth.log
E: File could not be read: /var/log/critical.log
E: File could not be read: /var/log/cron.log
E: File could not be read: /var/log/daemon.log
E: File could not be read: /var/log/emergency.log
E: File could not be read: /var/log/error.log
E: File could not be read: /var/log/info.log
E: File could not be read: /var/log/kern.log
E: File could not be read: /var/log/lpr.log
E: File could not be read: /var/log/mail.log
E: File could not be read: /var/log/user.log
E: File could not be read: /var/log/uucp.log

Check temporary directory: /tmp/logcheck.vHYtoc
#...which as said does not exists!!

declare -x HOME="/var/lib/logcheck"
declare -x LANG="en_GB"
declare -x LANGUAGE="sv_SE:sv:en_GB:en"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
declare -x PWD="/var/lib/logcheck"
declare -x SHELL="/bin/sh"
declare -x SHLVL="2"

And yes it looks like permission problem but i have tried to make the files readable to the adm group like this:
chgrp adm /var/log/auth

and i have also tried to add logcheck to the root group which is the group that the files belongs to from the beginning.

Permissions for the files are: rwxrwx root:root (or root:adm after the attempt above)

And absolutely nothing works

I really do hope someone can help me, because i think logcheck would be very useful if only I could get it to work.

All the best

Tommy
 
Old 09-06-2005, 03:02 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
First off, logfiles should have rw-r----- root:adm permissions at most. (640).

What user/group is logcheck running as? Have you run it manually from the command line?
 
Old 09-06-2005, 04:28 PM   #3
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
hi!

yes i know about the log permissions but i raised now just to see if they made a difference, which they did not.

Logcheck is running with its default settings: as user logcheck and with the goups logcheck and adm. And as i wrote i tried to change the permissions on the files to root:adm and also the other way around by adding logcheck to the group root when the files have the permissions root:root. And as i also wrote nothing of that works. That is why this is such a mystery.

It might be some restriction from some safety-program such as PAM or something i dont know???

I tried to run the program from the command line but as root ive been told that it cant be runned as root and as a user that i cant be found?? But you can suggest some way to that and i try it once more.

Tommy
 
Old 09-06-2005, 08:54 PM   #4
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Try su -c 'logcheck'.
 
Old 09-07-2005, 02:02 AM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,559

Rep: Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424Reputation: 2424
Try man newgrp ; if the relevant group (ie of the file ownership) is not the primary one (of the user) ie first in list, you may have to do this. You can only change to a group you are in.
See /etc/group .
 
Old 09-11-2005, 06:16 PM   #6
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
Hi again all!

Now i have worked a lot with these problems and well the error messages about the files are gone but instead i got another. And after what i have understand im not alone to have this but nowhere on the net have i found any solution to it. So if someone a) knows if its a fault by the users or as i think a bug and b)above all knows how to fix it then please let me know. I downloaded btw the latest version of logchek, logtail and logcheck DB (version 1.2.41) but that did, as you surely by know have figured out, did not help at all.

Anyway this is how the actual error-message look like:

Warning: If you are seeing this message, your log files may not have been
checked!

Details:
Could not run logtail or save output

Check temporary directory: /tmp/logcheck.jU7sJe

declare -x HOME="/var/lib/logcheck"
declare -x LANG="en_GB"
declare -x LANGUAGE="sv_SE:sv:en_GB:en"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"

...Im sure some of you recognize this ugly f**ker, and if as i said anyone knows how to make it work, plz help. Or suggestion of another program or solution that can replace logcheck will also come in handy.

All the best for now from //T
 
Old 09-11-2005, 06:20 PM   #7
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Try "ls -ld /tmp". Does that temporary direct exist as well?
 
Old 09-11-2005, 06:37 PM   #8
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
well the directory /tmp exists yes...but not the logcheck-files that it sais should be written to the /tmp-dir....and after what i read on the net thats part of the bug or whatever problem it now is.

And if you wonder(as with the ls command) i have put for now the permissions of the /tmp-directory to 777, but that did not help.

//T
 
Old 09-11-2005, 06:51 PM   #9
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
hm ok i got it wrong but now i see what you mean and no, no temporary direcotry exists in the /tmf-dir, and no files, nothing that should have come from logcheck at all. That is as i said apparently the problem/bug or whatever it is.

Sorry for the confusion, its pretty late here so i blame it on that ;-)

Cheers!

//T
 
Old 09-11-2005, 07:58 PM   #10
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Well, showing an 'ls -ld' of the temp dir would help us figure out the permissions on it and whether or not that could be related.
 
Old 09-12-2005, 08:47 AM   #11
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
Ok, i understand but i think its not related....the issues now is according to the error-mail these two:

Could not run logtail or save output

Check temporary directory: /tmp/logcheck.jU7sJe

And why it can not run logtaile or why logtaile doesnt work propely i dont know. After what i read on the internet it should have been som bug and it should also by now have been fixed, apparently not! Then if the "fake"-logcheck-directorys is a consequence of that or part of that "bug" I dont know. Something is apparently wrong, bug or not and others has this problem but i havent seen any solution to it anywhere, at least not yet!

So if anyone knows something i will truly appriciate some help.

Are also open for suggestions for replacements regarding logcheck with something else that really works.

All the best

Tommy
 
Old 09-12-2005, 11:17 AM   #12
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Can you run logtail as root? I've been using logcheck on 6-7 boxes for several months now with no problems.
 
Old 09-12-2005, 12:13 PM   #13
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
No i cant run as root. First i got a message that logcheck shoulnd be run as root and i should type in "su -s /bin/bash -c "/usr/sbin/logcheck[options]" logcheck"...wich i got only a error message like the one above. Then i tried as user but logcheck got no passwd so i added one. But logcheck didnt reacted at all when i run it as a user. Back to root i tried to run it again and now i got the following error: 'unknown ID: /usr/sbin/logcheck". I soon go nuts on this shit!

Hm well mabye it is some trouble regarding the Debian binary packages then? You are running gentoo so mabye it is not the same problem there. Obviosly something is really wrong here, but what??

Thanks for trying to help though

//T
 
Old 09-12-2005, 01:26 PM   #14
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 125Reputation: 125
Well, since you said you were open to alternatives, what about logwatch?
 
Old 09-12-2005, 04:26 PM   #15
cyberpunx
LQ Newbie
 
Registered: Jun 2005
Location: Sweden
Distribution: debian
Posts: 10

Original Poster
Rep: Reputation: 0
well maybe...just so i get something that really works. I have just heard about logwatch. Can you tell me something about it or give me an url. And also hopefully not something that takes ages to configurate.

All the best!!

//T
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[logcheck] ignore.d and logcheck.ignore cyberpunx Linux - Software 0 09-18-2005 06:07 PM
Logcheck regex to filter out bogus errors Donboy Linux - Security 1 03-14-2005 12:09 AM
how to monitor logfiles ganninu Linux - General 4 12-07-2003 07:36 AM
INFO: configuring logcheck markus1982 Linux - Software 1 05-26-2003 12:54 PM
Logfiles wonderpun Linux - General 3 09-01-2002 04:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration