[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange events...

On Sun, Aug 26, 2001 at 09:04:09AM -0500, David Sowder wrote:
>>*** WARNING ***: Log file /var/log/mail.log is smaller than last time checked!
>>***************  This could indicate tampering.
> [snip]
> Did you received the logcheck warning in the logcheck message sent in the
> 7am hour for the previous hour?  It's quite possible that you have a machine
> doing what one of mine is doing:  On Sundays, one of the logs gets rotated
> twice.  The logfile gets rotated once for a weekly cron job and then
> rotated again for a daily cron job (or maybe the other way around).  You
> might check into that and find that your machine has not been compromised
> at all... :)

I had a similar message this morning, but for auth.log.  Looking into
it, /var/log/auth.log started at 7:47am;  /var/log/auth.log.0 started
at 7:27am.    

:investigates...

This problem is caused when your logfile exceeds 2 Megs, which causes
it to be rotated by /usr/sbin/syslogd-listfiles, as well as by
logrotate.  It's not an issue unless you've had a lot of recent
activity, which is why you don't get this message every week.

See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=102138&repeatmerged=yes

There's even a patch in the bug report that prevents rotation if
*.log.0 is less than 6hour old.

-- 
Jesse
Reply to: