Package: logcheck Version: 1.4.2 Followup-For: Bug #1041524 Dear Maintainer,
I also had the problem of duplicated journalctl/rsyslogd messages with different time formatting, but otherwise than suggested in this bug I'd like to move to the precision format - and thus came up with a patch to specify journalctl options before I even found this bug. So perhaps you'd like to use (or adapt) my simple path which allowes to add this to the configuration, if desired: JOURNALCTL_OPTS="-oshort-iso-precise" -- System Information: Debian Release: 12.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-10-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages logcheck depends on: ii adduser 3.134 ii cron [cron-daemon] 3.0pl1-162 ii lockfile-progs 0.1.19 ii logtail 1.4.2 ii mime-construct 1.12+really1.11-1 ii sendmail-bin [mail-transport-agent] 8.17.1.9-2 Versions of packages logcheck recommends: ii logcheck-database 1.4.2 Versions of packages logcheck suggests: ii rsyslog [system-log-daemon] 8.2302.0-1 -- Configuration Files: /etc/logcheck/header.txt [Errno 13] Permission denied: '/etc/logcheck/header.txt' /etc/logcheck/logcheck.conf [Errno 13] Permission denied: '/etc/logcheck/logcheck.conf' /etc/logcheck/logcheck.logfiles [Errno 13] Permission denied: '/etc/logcheck/logcheck.logfiles' /etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Permission denied: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles' /etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Permission denied: '/etc/logcheck/logcheck.logfiles.d/syslog.logfiles' -- no debconf information
# The following variable settings are the initial default values, # which can be uncommented and modified to alter logcheck's behaviour # Controls the format of date-/time-stamps in subject lines: # Alternatively, set the format to suit your locale #DATE="$(date +'%Y-%m-%d %H:%M')" # Controls the presence of boilerplate at the top of each message: # Alternatively, set to "0" to disable the introduction. # # If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt # are present their contents will be read and used as the header and # footer of any generated mails. #INTRO=1 # Controls the level of filtering: # Can be Set to "workstation", "server" or "paranoid" for different # levels of filtering. Defaults to server if not set. REPORTLEVEL="server" # Controls the address mail goes to: # *NOTE* the script does not set a default value for this variable! # Should be set to an offsite "emailaddr...@some.domain.tld" SENDMAILTO="logcheck" # Send the results as attachment or not. # 0=not as attachment; 1=as attachment; 2=as gzip attachment # Default is 0 MAILASATTACH=0 # Should the hostname in the subject of generated mails be fully qualified? FQDN=1 # Controls whether "sort -u" is used on log entries (which will # eliminate duplicates but destroy the original ordering); the # default is to use "sort -k 1,3 -s": # Alternatively, set to "1" to enable unique sorting #SORTUNIQ=0 # Controls whether /etc/logcheck/cracking.ignore.d is scanned for # exceptions to the rules in /etc/logcheck/cracking.d: # Alternatively, set to "1" to enable cracking.ignore support #SUPPORT_CRACKING_IGNORE=0 # Controls the base directory for rules file location # This must be an absolute path #RULEDIR="/etc/logcheck" # Controls if syslog-summary is run over each section. # Alternatively, set to "1" to enable extra summary. # HINT: syslog-summary needs to be installed. #SYSLOGSUMMARY=0 # Controls Subject: lines on logcheck reports: #ATTACKSUBJECT="Security Alerts" #SECURITYSUBJECT="Security Events" #EVENTSSUBJECT="System Events" # Controls [logcheck] prefix on Subject: lines #ADDTAG="no" # Previous versions of logcheck always sent messages in 7bit encoding, # even if that resulted in RFC-violating messages. For example, really # long syslog lines would generate too-long SMTP lines, which are # rejected at least by Debian's default exim configuration. The new # default is to let mime-construct pick an appropriate encoding, but you # can override it by setting the below (to any of the encodings # supported by mime-construct). You may need to do this if you have # tools handling logcheck emails that don't understand MIME encoding. #MIMEENCODING= # Set a different location for temporary files than /tmp # this is useful if your /tmp is small and you are getting # errors such as: # cp: writing `/tmp/logcheck.y12449/checked': No space left on device # /usr/sbin/logcheck: line 161: cannot create temp file for here document: No space left on device # mail: /tmp/mail.RsXXXXpc2eAx: No space left on device # Null message body; hope that's ok # # If this is happening, likely you will want to change the following to be some other # location, such as /var/tmp TMP="/tmp" JOURNALCTL_OPTS="-oshort-iso-precise"
--- logcheck 2023-08-27 10:20:46.898407174 +0200 +++ logcheck.orig 2023-08-27 10:20:23.762367570 +0200 @@ -477,7 +477,7 @@ logoutput() { local file="$1" local JOURNALCTL="journalctl" - local JOPTS=() LOPTS=() + local JOURNALCTL_OPTS=() OPTS=() local offsetfile offsettime # There are some problems with this section. @@ -486,17 +486,14 @@ offsetfile="$STATEDIR/offset$(echo "$file" | tr / .)" debug "Running $LOGTAIL on $file" - LOPTS=( -f "$file" -o "$offsetfile" ) + OPTS=( -f "$file" -o "$offsetfile" ) if [ -n "${LOGTAIL_OPTS-}" ]; then - LOPTS+=("$LOGTAIL_OPTS") + OPTS+=("$LOGTAIL_OPTS") fi - "$LOGTAIL" "${LOPTS[@]}" >> "$TMPDIR/logoutput/$(basename "$file")" 2>&1 \ + "$LOGTAIL" "${OPTS[@]}" >> "$TMPDIR/logoutput/$(basename "$file")" 2>&1 \ || error "Could not run logtail or save output" else if [ "$file" = "journal" ] && [ -x "$(command -v $JOURNALCTL)" ]; then - if [ -n "${JOURNALCTL_OPTS-}" ]; then - JOPTS+=("$JOURNALCTL_OPTS") - fi offsetfile="$STATEDIR/offset.$file" offsettime="" if [ -f "$offsetfile" ]; then @@ -510,8 +507,8 @@ >> "$TMPDIR/report" || error "Could not write message about first-time check of journal to report" offsettime="--since=-5h" fi - debug "Running $JOURNALCTL ${JOPTS[*]} --quiet $offsettime" - "$JOURNALCTL" "${JOPTS[@]}" --quiet "$offsettime" \ + debug "Running $JOURNALCTL ${JOURNALCTL_OPTS[*]} -q $offsettime" + "$JOURNALCTL" "${JOURNALCTL_OPTS[@]}" --quiet "$offsettime" \ >> "$TMPDIR/logoutput/$file" 2>&1 \ || error "Could not run journalctl or save output" touch "$offsetfile"