Package: logcheck Version: 1.3.24 Tags: patch X-Debbugs-Cc: richard.lewis.deb...@googlemail.com
logcheck should check the systemd journal by default. Support is available, but not currently enabled by default. To enable support you should (as root): a) touch /var/lib/logcheck/offset.journal b) chown logcheck /var/lib/logcheck/offset.journal c) echo journal > /etc/logcheck/logcheck.logfiles.d/journal.logfiles d) run logcheck as normal (a) and (b) are needed to work round a bug in logcheck: the first time logcheck checks the journal it attempts to check every single line ever written to the journal, which is likely to be result in logcheck being killed by the OOM-killer. Creating the files in /var/lib means only new lines are checked. The attached patch fixes this by making logcheck only check the most recent 5 hours if the offset file is not present. In addition to this patch, logcheck should - move 'rsyslog | system-log-daemon' from 'depends' to 'suggests' - ship a file /etc/logcheck/logcheck.logfiles.d/journal.logfiles containing the word 'journal' - there is no need to remove the existing /etc/logcheck/logcheck.logfiles but the comments could be updated - the 'default' is no longer to use the syslog at all - add an entry in NEWS.Debian (if no-one else does, i'll send as a MR once the other MRs are merged/closed) What about non-systemd systems? ------------------------------- This setting should not affect non-systemd systems (untested). inside logcheck, logoutput() already knows to do nothing if journalctl is not in the $PATH but i dont know what happens if a system has journalctl installed but the journal is not running: journalctl may still work or the user may get an error on every invocation of logcheck. We could easily patch logcheck to deal with this if it is an issue (I dont know how to check whether the journal is not being used, but there are other options including not reporting errors or not attempting to check the journal if systemd is not running) Of course, such systems are increasingly non-standard and a user who has opted out of systemd or its journal will presumably be easily capable of editing /etc/logcheck/logcheck.logfiles.d/journal.logfiles to turn off journal checking if they want. Why systemd should be considered the default -------------------------------------------- For bookworm, my understanding is: - the default is for logging to primarily happen via the systemd journal writing log entries into /var/log/journal - the journal will duplicate these messages into /var/log/syslog only if a) system-log-daemon (provided by rsyslog and other packages) is installed and b) the user does not disable this feature by setting ForwardToSyslog=no in /etc/systemd/journald.conf - (I _think_ i saw the systemd maintainers suggest on debian-devel that either they or upstream will turn off the forwarding at some point, but this has not yet been done.) - rsyslog is demoted to priority:optional (stated by the maintainer here https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=1023596;msg=15 - I was not able to find this in rsyslog's changelog, but it seems to be the case in unstable today (7 Dec 2022) - no other package providing system-log-daemon has been increased to priority higher than optional (checked in unstable using aptitude) therefore, new bookworm installations will only have logging via the journal unless the user requested a syslog - (tens of package depend on rsyslog). -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages logcheck depends on: ii adduser 3.118 ii exim4-daemon-light [mail-transport-agent] 4.94.2-7 ii lockfile-progs 0.1.18 ii logtail 1.3.24+local6 ii mime-construct 1.11+nmu3 Versions of packages logcheck recommends: ii logcheck-database 1.3.24+local6
diff --git a/src/logcheck b/src/logcheck index e887fb09..cb623671 100755 --- a/src/logcheck +++ b/src/logcheck @@ -455,6 +455,12 @@ logoutput() { offsettime="" if [ -f "$offsetfile" ]; then offsettime="--since=@$(stat -c %Y "$offsetfile")" + else + echo "This is the first time logcheck has checked output in the systemd journal." \ + >> "$TMPDIR/report" || error "Could not write message about first-time check of journal to report" + echo "Only recent entries (last 5 hours) will be checked" \ + >> "$TMPDIR/report" || error "Could not write message about first-time check of journal to report" + offsettime="--since=-5h" fi debug "Running $JOURNALCTL ${JOURNALCTL_OPTS[*]} -q $offsettime" "$JOURNALCTL" "${JOURNALCTL_OPTS[@]}" --quiet "$offsettime" \