Hi, On Thu, Mar 14, 2024 at 11:25:52AM -0700, John Conover wrote: > Email from logcheck(1) contains: > > E: File could not be read: /var/log/syslog > E: File could not be read: /var/log/auth.log > > which do not exist in bookworm 12.5. > > The offending file: > > /etc/logcheck/logcheck.logfiles.d/syslog.logfiles > > contains both filenames.
You haven't asked a question so I shall attempt to read your mind and divine that you are wishing to know why there is a logcheck file that refers to log files that don't exist. The reason is that as of Debian 12, a syslogd is not installed by default and logging is handled by systemd-journald. There is a file in the logcheck package for reading the systemd journal: /etc/logcheck/logcheck.logfiles.d/journal.logfiles If you intend to do that you are meant to uncomment what is in that one and comment what is in /etc/logcheck/logcheck.logfiles.d/syslog.logfiles. If your intent is to have logcheck read syslog files than you first need to install a syslogd. As others have mentioned, rsyslogd is popular on Debian and was installed by default on previous releases. There are others. I don't recall what logcheck does by default as regards commenting in these files. Probably you haven't changed anything and those files come as you have presented here. If so then it may be worth a bug report since logcheck does support reading from the journal yet apparently defaults to not doing so. Though that may be a big job as I think all the sample pattern files for logcheck are still geared towards rsyslogd's format, not journald's. Myself, I still use logcheck with rsyslogd on Debian 12. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
