On 08/05/2017 14:54, Peter Humphrey wrote: > Hello list, > > The logging section of the security handbook[1] recommends using app- > admin/logcheck to monitor logs, but I can't get past a permission problem. > Logcheck sends me an e-mail which complains: > > ================ > Could not run logtail or save output > > Check temporary directory: /tmp/logcheck.thLHYh > > Also verify that the logcheck user can read all files referenced in > /etc/logcheck/logcheck.logfiles! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
you didn't do this, or didn't show that you did > ================ > > There's no sign of any /tmp/log* file. /var/log/messages is the only entry in > /etc/logcheck/logcheck.logfiles . > > I tried changing /var/log/messages thus: > > # chmod g+r /var/log/messages bad idea > # chown :logcheck /var/log/messages worse bad idea > > ...and ran logcheck, only to find that /var/log/messages was back to its > original permissions: > > ls -l /var/log/messages > -rw------- 1 root root 139K May 8 13:27 /var/log/messages > > ...and I got the same e-mail as before. > > Has anyone succeeded in running logcheck? What's the magic recipe? I see > that app-admin/logcheck is maintainer-wanted, so there's no point in raising > a bug report. > > [1] https://wiki.gentoo.org/wiki/Security_Handbook/Logging > -- Alan McKinnon alan.mckin...@gmail.com