Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
Hi, On Thu, Mar 14, 2024 at 04:18:26PM -0600, Charles Curley wrote: > Interesting. My logcheck instance works just fine, andmakes no such > complaints. However, my > /etc/logcheck/logcheck.logfiles.d/syslog.logfiles has them commented > out. You are probably using the journald support as configured in /etc/logcheck/logcheck.logfiles.d/journal.logfiles. > # (If your system does not use a syslog daemon you > # can comment these lines out) > # /var/log/syslog > # /var/log/auth.log > root@issola:~# > > So you might do the same. OP would also want to check the journal.logfiles file I mentioned above to check that it is actually set up to read from journald. Good to know that logcheck has patterns for matching journald logs though. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
On Thu, 14 Mar 2024 11:25:52 -0700 cono...@panix.com (John Conover) wrote: > Email from logcheck(1) contains: > > E: File could not be read: /var/log/syslog > E: File could not be read: /var/log/auth.log > > which do not exist in bookworm 12.5. > > The offending file: > > /etc/logcheck/logcheck.logfiles.d/syslog.logfiles > > contains both filenames. Interesting. My logcheck instance works just fine, andmakes no such complaints. However, my /etc/logcheck/logcheck.logfiles.d/syslog.logfiles has them commented out. root@issola:~# cat /etc/logcheck/logcheck.logfiles.d/syslog.logfiles ## Log entries in the logs listed below will be checked by logcheck # The default is to check standard syslog files # created by rsyslog or other syslog daemons # (If your system does not use a syslog daemon you # can comment these lines out) # /var/log/syslog # /var/log/auth.log root@issola:~# So you might do the same. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
Hi, On Thu, Mar 14, 2024 at 11:25:52AM -0700, John Conover wrote: > Email from logcheck(1) contains: > > E: File could not be read: /var/log/syslog > E: File could not be read: /var/log/auth.log > > which do not exist in bookworm 12.5. > > The offending file: > > /etc/logcheck/logcheck.logfiles.d/syslog.logfiles > > contains both filenames. You haven't asked a question so I shall attempt to read your mind and divine that you are wishing to know why there is a logcheck file that refers to log files that don't exist. The reason is that as of Debian 12, a syslogd is not installed by default and logging is handled by systemd-journald. There is a file in the logcheck package for reading the systemd journal: /etc/logcheck/logcheck.logfiles.d/journal.logfiles If you intend to do that you are meant to uncomment what is in that one and comment what is in /etc/logcheck/logcheck.logfiles.d/syslog.logfiles. If your intent is to have logcheck read syslog files than you first need to install a syslogd. As others have mentioned, rsyslogd is popular on Debian and was installed by default on previous releases. There are others. I don't recall what logcheck does by default as regards commenting in these files. Probably you haven't changed anything and those files come as you have presented here. If so then it may be worth a bug report since logcheck does support reading from the journal yet apparently defaults to not doing so. Though that may be a big job as I think all the sample pattern files for logcheck are still geared towards rsyslogd's format, not journald's. Myself, I still use logcheck with rsyslogd on Debian 12. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
John Conover wrote: > > Email from logcheck(1) contains: > > E: File could not be read: /var/log/syslog > E: File could not be read: /var/log/auth.log > > which do not exist in bookworm 12.5. They do as soon as you install rsyslog. Arguably this should be in rsyslog's package, though -- and any similar replacements. -dsr-
Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
On Thu, Mar 14, 2024 at 11:25:52AM -0700, John Conover wrote: > > Email from logcheck(1) contains: > > E: File could not be read: /var/log/syslog > E: File could not be read: /var/log/auth.log > > which do not exist in bookworm 12.5. You'll want to install rsyslog, or something equivalent, to get human-readable text log files. Otherwise, there's just the systemd journal. The logcheck package has a "Suggests" for rsyslog, but not a hard dependency.
logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
Email from logcheck(1) contains: E: File could not be read: /var/log/syslog E: File could not be read: /var/log/auth.log which do not exist in bookworm 12.5. The offending file: /etc/logcheck/logcheck.logfiles.d/syslog.logfiles contains both filenames. Thanks, John -- John Conover, cono...@panix.com, http://www.johncon.com/