On Sun, 17 Dec 2023 at 19:03, Stefano Callegari <ste.calleg...@tiscali.it> wrote: > Il Fri, Dec 15, 2023 at 11:31:18PM +0000, Richard Lewis scrisse: > > On Fri, 15 Dec 2023 at 16:06, Stefano Callegari > > <ste.calleg...@tiscali.it> wrote: > > > > > from few days the email from cron are empty, there is only the header.txt. > > > > > /etc/logcheck <-bash> # su -s /bin/bash -c "/usr/sbin/logcheck -l > > > /var/log/syslog" logcheck > > > > > > the email has the log lines. Without the -l option, still empty. > > > > Seems like it isnt checking the syslog -- what is in the files in > > /etc/logcheck/logcheck.logfiles.d/ and logcheck.conf ? >
> ~ <-bash> # ls /etc/logcheck/logcheck.logfiles.d/ > journal.logfiles syslog.logfiles [snip] -- everything you posted looked fine and standard to me: it should be checking both syslog and the journal as expected The only other thing you didn't include is a check of the permissions: there was a change in bookworm - i doubt that this is the issue, but for completeness: the directory /etc/logcheck should be owned by logcheck:logcheck and permissions: drwxr-x--- the contents should all be root:root and usual permissions, ie -rw-r--r-- (with subdirectories drwxr-xr-x) (as long permissions allow logcheck to read everything, it should all be fine) > > I suggest also using the -d option -- should say what it is doing in > > great detail (pipe to file or through less) > > I've tried! Many and many of lines, never ending, it seems a loop. I had to > do a ^C. Interesting - that definitely shouldnt happen, and '-d' shouldn't be doing anything 'extra' to cause that (is it definitely a loop or just looking like one because if your log contains lines that dont match any rules (will be reported in the email), logcheck has to check every single rules file, and -d will tell you the results before and after each rule file it uses: so it should look like it's printing the same output many times. to minimise the output, you can run once without -d, then do a 'logger foo' to ensure there's at lease one new line in the log and then re-run with -d) The only potential for a loop that i can immediately think of would be if you had some kind of symlink loop in the rules directory - do you have any symlinks in the ignore.d.server or similar dirs (check with ls -laR) i didnt think that could happen, i've no idea if logcheck would cope with that or not Can you provide the start of the -d output /enough to understand what the loop is? Otherwise, the start of the output should say what files it was checking, unfortunately, if there's an issue sending the issue, it likely wont be obvious until the very end. the only other thing i can think of is a disk space issue (i could imaging bad things happening if /tmp was full, or wherever the mta stores the email - /var or similar) (you could email it to me if you want to avoid it appearing in the public bts - up to you: i wouldnt expect there to be anything too sensitive in the logs, but i suppose we cant rule that out).
