Re: Strange events...
On Sun, Aug 26, 2001 at 09:04:09AM -0500, David Sowder wrote:
>>*** WARNING ***: Log file /var/log/mail.log is smaller than last time checked!
>>*************** This could indicate tampering.
> [snip]
> Did you received the logcheck warning in the logcheck message sent in the
> 7am hour for the previous hour? It's quite possible that you have a machine
> doing what one of mine is doing: On Sundays, one of the logs gets rotated
> twice. The logfile gets rotated once for a weekly cron job and then
> rotated again for a daily cron job (or maybe the other way around). You
> might check into that and find that your machine has not been compromised
> at all... :)
I had a similar message this morning, but for auth.log. Looking into
it, /var/log/auth.log started at 7:47am; /var/log/auth.log.0 started
at 7:27am.
:investigates...
This problem is caused when your logfile exceeds 2 Megs, which causes
it to be rotated by /usr/sbin/syslogd-listfiles, as well as by
logrotate. It's not an issue unless you've had a lot of recent
activity, which is why you don't get this message every week.
See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=102138&repeatmerged=yes
There's even a patch in the bug report that prevents rotation if
*.log.0 is less than 6hour old.
--
Jesse
Reply to: