Package: logcheck
Version: 1.4.2
Followup-For: Bug #1041524
Dear Maintainer,
I also had the problem of duplicated journalctl/rsyslogd messages with
different time formatting, but otherwise than suggested in this bug I'd
like to move to the precision format - and thus came up with a patch to
specify journalctl options before I even found this bug.
So perhaps you'd like to use (or adapt) my simple path which allowes to
add this to the configuration, if desired:
JOURNALCTL_OPTS="-oshort-iso-precise"
-- System Information:
Debian Release: 12.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'oldstable-updates'), (500, 'oldstable-security'), (500, 'stable'), (500,
'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages logcheck depends on:
ii adduser 3.134
ii cron [cron-daemon] 3.0pl1-162
ii lockfile-progs 0.1.19
ii logtail 1.4.2
ii mime-construct 1.12+really1.11-1
ii sendmail-bin [mail-transport-agent] 8.17.1.9-2
Versions of packages logcheck recommends:
ii logcheck-database 1.4.2
Versions of packages logcheck suggests:
ii rsyslog [system-log-daemon] 8.2302.0-1
-- Configuration Files:
/etc/logcheck/header.txt [Errno 13] Permission denied:
'/etc/logcheck/header.txt'
/etc/logcheck/logcheck.conf [Errno 13] Permission denied:
'/etc/logcheck/logcheck.conf'
/etc/logcheck/logcheck.logfiles [Errno 13] Permission denied:
'/etc/logcheck/logcheck.logfiles'
/etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Permission
denied: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles'
/etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Permission denied:
'/etc/logcheck/logcheck.logfiles.d/syslog.logfiles'
-- no debconf information
# The following variable settings are the initial default values,
# which can be uncommented and modified to alter logcheck's behaviour
# Controls the format of date-/time-stamps in subject lines:
# Alternatively, set the format to suit your locale
#DATE="$(date +'%Y-%m-%d %H:%M')"
# Controls the presence of boilerplate at the top of each message:
# Alternatively, set to "0" to disable the introduction.
#
# If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt
# are present their contents will be read and used as the header and
# footer of any generated mails.
#INTRO=1
# Controls the level of filtering:
# Can be Set to "workstation", "server" or "paranoid" for different
# levels of filtering. Defaults to server if not set.
REPORTLEVEL="server"
# Controls the address mail goes to:
# *NOTE* the script does not set a default value for this variable!
# Should be set to an offsite "emailaddr...@some.domain.tld"
SENDMAILTO="logcheck"
# Send the results as attachment or not.
# 0=not as attachment; 1=as attachment; 2=as gzip attachment
# Default is 0
MAILASATTACH=0
# Should the hostname in the subject of generated mails be fully qualified?
FQDN=1
# Controls whether "sort -u" is used on log entries (which will
# eliminate duplicates but destroy the original ordering); the
# default is to use "sort -k 1,3 -s":
# Alternatively, set to "1" to enable unique sorting
#SORTUNIQ=0
# Controls whether /etc/logcheck/cracking.ignore.d is scanned for
# exceptions to the rules in /etc/logcheck/cracking.d:
# Alternatively, set to "1" to enable cracking.ignore support
#SUPPORT_CRACKING_IGNORE=0
# Controls the base directory for rules file location
# This must be an absolute path
#RULEDIR="/etc/logcheck"
# Controls if syslog-summary is run over each section.
# Alternatively, set to "1" to enable extra summary.
# HINT: syslog-summary needs to be installed.
#SYSLOGSUMMARY=0
# Controls Subject: lines on logcheck reports:
#ATTACKSUBJECT="Security Alerts"
#SECURITYSUBJECT="Security Events"
#EVENTSSUBJECT="System Events"
# Controls [logcheck] prefix on Subject: lines
#ADDTAG="no"
# Previous versions of logcheck always sent messages in 7bit encoding,
# even if that resulted in RFC-violating messages. For example, really
# long syslog lines would generate too-long SMTP lines, which are
# rejected at least by Debian's default exim configuration. The new
# default is to let mime-construct pick an appropriate encoding, but you
# can override it by setting the below (to any of the encodings
# supported by mime-construct). You may need to do this if you have
# tools handling logcheck emails that don't understand MIME encoding.
#MIMEENCODING=
# Set a different location for temporary files than /tmp
# this is useful if your /tmp is small and you are getting
# errors such as:
# cp: writing `/tmp/logcheck.y12449/checked': No space left on device
# /usr/sbin/logcheck: line 161: cannot create temp file for here document: No
space left on device
# mail: /tmp/mail.RsXXXXpc2eAx: No space left on device
# Null message body; hope that's ok
#
# If this is happening, likely you will want to change the following to be some
other
# location, such as /var/tmp
TMP="/tmp"
JOURNALCTL_OPTS="-oshort-iso-precise"
--- logcheck 2023-08-27 10:20:46.898407174 +0200
+++ logcheck.orig 2023-08-27 10:20:23.762367570 +0200
@@ -477,7 +477,7 @@
logoutput() {
local file="$1"
local JOURNALCTL="journalctl"
- local JOPTS=() LOPTS=()
+ local JOURNALCTL_OPTS=() OPTS=()
local offsetfile offsettime
# There are some problems with this section.
@@ -486,17 +486,14 @@
offsetfile="$STATEDIR/offset$(echo "$file" | tr
/ .)"
debug "Running $LOGTAIL on $file"
- LOPTS=( -f "$file" -o "$offsetfile" )
+ OPTS=( -f "$file" -o "$offsetfile" )
if [ -n "${LOGTAIL_OPTS-}" ]; then
- LOPTS+=("$LOGTAIL_OPTS")
+ OPTS+=("$LOGTAIL_OPTS")
fi
- "$LOGTAIL" "${LOPTS[@]}" >>
"$TMPDIR/logoutput/$(basename "$file")" 2>&1 \
+ "$LOGTAIL" "${OPTS[@]}" >>
"$TMPDIR/logoutput/$(basename "$file")" 2>&1 \
|| error "Could not run logtail
or save output"
else
if [ "$file" = "journal" ] && [ -x "$(command
-v $JOURNALCTL)" ]; then
- if [ -n "${JOURNALCTL_OPTS-}"
]; then
-
JOPTS+=("$JOURNALCTL_OPTS")
- fi
offsetfile="$STATEDIR/offset.$file"
offsettime=""
if [ -f "$offsetfile" ]; then
@@ -510,8 +507,8 @@
>> "$TMPDIR/report" || error "Could not write message about first-time check
of journal to report"
offsettime="--since=-5h"
fi
- debug "Running $JOURNALCTL
${JOPTS[*]} --quiet $offsettime"
- "$JOURNALCTL" "${JOPTS[@]}"
--quiet "$offsettime" \
+ debug "Running $JOURNALCTL
${JOURNALCTL_OPTS[*]} -q $offsettime"
+ "$JOURNALCTL"
"${JOURNALCTL_OPTS[@]}" --quiet "$offsettime" \
>> "$TMPDIR/logoutput/$file" 2>&1 \
|| error "Could
not run journalctl or save output"
touch "$offsetfile"
