Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[Andy Smith]

Hi,

On Thu, Mar 14, 2024 at 04:18:26PM -0600, Charles Curley wrote:
> Interesting. My logcheck instance works just fine, andmakes no such
> complaints. However, my
> /etc/logcheck/logcheck.logfiles.d/syslog.logfiles has them commented
> out.

You are probably using the journald support as configured in
/etc/logcheck/logcheck.logfiles.d/journal.logfiles.

> # (If your system does not use a syslog daemon you
> # can comment these lines out)
> # /var/log/syslog
> # /var/log/auth.log
> root@issola:~# 
> 
> So you might do the same.

OP would also want to check the journal.logfiles file I mentioned
above to check that it is actually set up to read from journald.

Good to know that logcheck has patterns for matching journald logs
though.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[Charles Curley]

On Thu, 14 Mar 2024 11:25:52 -0700
cono...@panix.com (John Conover) wrote:

> Email from logcheck(1) contains:
> 
> E: File could not be read: /var/log/syslog
> E: File could not be read: /var/log/auth.log
> 
> which do not exist in bookworm 12.5.
> 
> The offending file:
> 
> /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
> 
> contains both filenames.

Interesting. My logcheck instance works just fine, andmakes no such
complaints. However, my
/etc/logcheck/logcheck.logfiles.d/syslog.logfiles has them commented
out.

root@issola:~# cat /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
## Log entries in the logs listed below will be checked by logcheck

# The default is to check standard syslog files
# created by rsyslog or other syslog daemons

# (If your system does not use a syslog daemon you
# can comment these lines out)
# /var/log/syslog
# /var/log/auth.log
root@issola:~# 

So you might do the same.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[Andy Smith]

Hi,

On Thu, Mar 14, 2024 at 11:25:52AM -0700, John Conover wrote:
> Email from logcheck(1) contains:
> 
> E: File could not be read: /var/log/syslog
> E: File could not be read: /var/log/auth.log
> 
> which do not exist in bookworm 12.5.
> 
> The offending file:
> 
> /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
> 
> contains both filenames.

You haven't asked a question so I shall attempt to read your mind
and divine that you are wishing to know why there is a logcheck file
that refers to log files that don't exist.

The reason is that as of Debian 12, a syslogd is not installed by
default and logging is handled by systemd-journald. There is a file
in the logcheck package for reading the systemd journal:

/etc/logcheck/logcheck.logfiles.d/journal.logfiles

If you intend to do that you are meant to uncomment what is in that
one and comment what is in
/etc/logcheck/logcheck.logfiles.d/syslog.logfiles.

If your intent is to have logcheck read syslog files than you first
need to install a syslogd. As others have mentioned, rsyslogd is
popular on Debian and was installed by default on previous releases.
There are others.

I don't recall what logcheck does by default as regards commenting
in these files. Probably you haven't changed anything and those
files come as you have presented here. If so then it may be worth a
bug report since logcheck does support reading from the journal yet
apparently defaults to not doing so.

Though that may be a big job as I think all the sample pattern files
for logcheck are still geared towards rsyslogd's format, not
journald's.

Myself, I still use logcheck with rsyslogd on Debian 12.

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[Dan Ritter]

John Conover wrote: 
> 
> Email from logcheck(1) contains:
> 
> E: File could not be read: /var/log/syslog
> E: File could not be read: /var/log/auth.log
> 
> which do not exist in bookworm 12.5.

They do as soon as you install rsyslog.

Arguably this should be in rsyslog's package, though -- and any 
similar replacements.

-dsr-

Re: logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[Greg Wooledge]

On Thu, Mar 14, 2024 at 11:25:52AM -0700, John Conover wrote:
> 
> Email from logcheck(1) contains:
> 
> E: File could not be read: /var/log/syslog
> E: File could not be read: /var/log/auth.log
> 
> which do not exist in bookworm 12.5.

You'll want to install rsyslog, or something equivalent, to get
human-readable text log files.  Otherwise, there's just the systemd
journal.

The logcheck package has a "Suggests" for rsyslog, but not a hard
dependency.

logcheck(1) in bookworm 12.5 /etc/logcheck/logcheck.logfiles.d/syslog.logfiles

[John Conover]

Email from logcheck(1) contains:

E: File could not be read: /var/log/syslog
E: File could not be read: /var/log/auth.log

which do not exist in bookworm 12.5.

The offending file:

/etc/logcheck/logcheck.logfiles.d/syslog.logfiles

contains both filenames.

Thanks,

John

-- 

John Conover, cono...@panix.com, http://www.johncon.com/