Hi!

I´m running a Debian 3.1 (Sarge) server box and recently I implemented Logcheck to my system. The problem is that always when logcheck runs I get 2 error-mails. I dont know what to do about this problem.

The content of the first of the two eror mails looks something like this:

if [ -x /usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/lib/logcheck>
X-Cron-Env: <LOGNAME=logcheck>

sort: misslyckades öppna: /tmp/logcheck.vHYtoc/logoutput/*: Filen eller katalogen finns inte
# means in english: that the mentioned file could not be opened and that the #file does not exist.


And the content of the second of the two error-mails looks something like this:

Warning: If you are seeing this message, your log files may not have been
checked!

Details:
E: File could not be read: /var/log/auth.log
E: File could not be read: /var/log/critical.log
E: File could not be read: /var/log/cron.log
E: File could not be read: /var/log/daemon.log
E: File could not be read: /var/log/emergency.log
E: File could not be read: /var/log/error.log
E: File could not be read: /var/log/info.log
E: File could not be read: /var/log/kern.log
E: File could not be read: /var/log/lpr.log
E: File could not be read: /var/log/mail.log
E: File could not be read: /var/log/user.log
E: File could not be read: /var/log/uucp.log

Check temporary directory: /tmp/logcheck.vHYtoc
#...which as said does not exists!!

declare -x HOME="/var/lib/logcheck"
declare -x LANG="en_GB"
declare -x LANGUAGE="sv_SE:sv:en_GB:en"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
declare -x PWD="/var/lib/logcheck"
declare -x SHELL="/bin/sh"
declare -x SHLVL="2"

And yes it looks like permission problem but i have tried to make the files readable to the adm group like this:
chgrp adm /var/log/auth

and i have also tried to add logcheck to the root group which is the group that the files belongs to from the beginning.

Permissions for the files are: rwxrwx root:root (or root:adm after the attempt above)

And absolutely nothing works

I really do hope someone can help me, because i think logcheck would be very useful if only I could get it to work.

All the best

Tommy

First off, logfiles should have rw-r----- root:adm permissions at most. (640).

What user/group is logcheck running as? Have you run it manually from the command line?

hi!

yes i know about the log permissions but i raised now just to see if they made a difference, which they did not.

Logcheck is running with its default settings: as user logcheck and with the goups logcheck and adm. And as i wrote i tried to change the permissions on the files to root:adm and also the other way around by adding logcheck to the group root when the files have the permissions root:root. And as i also wrote nothing of that works. That is why this is such a mystery.

It might be some restriction from some safety-program such as PAM or something i dont know???

I tried to run the program from the command line but as root i´ve been told that it cant be runned as root and as a user that i cant be found?? But you can suggest some way to that and i try it once more.

Tommy

Try su -c 'logcheck'.

Try man newgrp ; if the relevant group (ie of the file ownership) is not the primary one (of the user) ie first in list, you may have to do this. You can only change to a group you are in.
See /etc/group .

Hi again all!

Now i have worked a lot with these problems and well the error messages about the files are gone but instead i got another. And after what i have understand im not alone to have this but nowhere on the net have i found any solution to it. So if someone a) knows if its a fault by the users or as i think a bug and b)above all knows how to fix it then please let me know. I downloaded btw the latest version of logchek, logtail and logcheck DB (version 1.2.41) but that did, as you surely by know have figured out, did not help at all.

Anyway this is how the actual error-message look like:

Warning: If you are seeing this message, your log files may not have been
checked!

Details:
Could not run logtail or save output

Check temporary directory: /tmp/logcheck.jU7sJe

declare -x HOME="/var/lib/logcheck"
declare -x LANG="en_GB"
declare -x LANGUAGE="sv_SE:sv:en_GB:en"
declare -x LOGNAME="logcheck"
declare -x MAILTO="root"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"

...I´m sure some of you recognize this ugly f**ker, and if as i said anyone knows how to make it work, plz help. Or suggestion of another program or solution that can replace logcheck will also come in handy.

All the best for now from //T

Try "ls -ld /tmp". Does that temporary direct exist as well?

well the directory /tmp exists yes...but not the logcheck-files that it sais should be written to the /tmp-dir....and after what i read on the net thats part of the bug or whatever problem it now is.

And if you wonder(as with the ls command) i have put for now the permissions of the /tmp-directory to 777, but that did not help.

//T

hm ok i got it wrong but now i see what you mean and no, no temporary direcotry exists in the /tmf-dir, and no files, nothing that should have come from logcheck at all. That is as i said apparently the problem/bug or whatever it is.

Sorry for the confusion, its pretty late here so i blame it on that ;-)

Cheers!

//T

Well, showing an 'ls -ld' of the temp dir would help us figure out the permissions on it and whether or not that could be related.

Ok, i understand but i think its not related....the issues now is according to the error-mail these two:

Could not run logtail or save output

Check temporary directory: /tmp/logcheck.jU7sJe

And why it can not run logtaile or why logtaile doesnt work propely i dont know. After what i read on the internet it should have been som bug and it should also by now have been fixed, apparently not! Then if the "fake"-logcheck-directorys is a consequence of that or part of that "bug" I dont know. Something is apparently wrong, bug or not and others has this problem but i havent seen any solution to it anywhere, at least not yet!

So if anyone knows something i will truly appriciate some help.

Are also open for suggestions for replacements regarding logcheck with something else that really works.

All the best

Tommy

Can you run logtail as root? I've been using logcheck on 6-7 boxes for several months now with no problems.

No i cant run as root. First i got a message that logcheck shoulnd be run as root and i should type in "su -s /bin/bash -c "/usr/sbin/logcheck[options]" logcheck"...wich i got only a error message like the one above. Then i tried as user but logcheck got no passwd so i added one. But logcheck didnt reacted at all when i run it as a user. Back to root i tried to run it again and now i got the following error: 'unknown ID: /usr/sbin/logcheck". I soon go nuts on this shit!

Hm well mabye it is some trouble regarding the Debian binary packages then? You are running gentoo so mabye it is not the same problem there. Obviosly something is really wrong here, but what??

Thanks for trying to help though

//T

Well, since you said you were open to alternatives, what about logwatch?

well maybe...just so i get something that really works. I have just heard about logwatch. Can you tell me something about it or give me an url. And also hopefully not something that takes ages to configurate.

All the best!!

//T