Re: logcheck shows only accounting tool, Debian 11?

To: Roberto C. Sánchez <roberto@debian.org>
Cc: debian-user@lists.debian.org
Subject: Re: logcheck shows only accounting tool, Debian 11?
From: conover@panix.com (John Conover)
Date: Mon, 4 Apr 2022 20:02:45 -0700
Message-id: <[🔎] 20220405030245.52701.qmail@panix.com>
Reply-to: conover@panix.com (John Conover)
In-reply-to: <[🔎] 20220404195757.GB13603@connexer.com>
References: <[🔎] 20220404194633.18322.qmail@panix.com> <[🔎] 20220404195757.GB13603@connexer.com>

Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= writes:
> On Mon, Apr 04, 2022 at 12:46:33PM -0700, John Conover wrote:
> > 
> > For the past few days, logcheck is sending:
> > 
> >     Apr  4 11:40:13 john systemd[1]: Starting system activity accounting tool...
> >     Apr  4 11:40:13 john systemd[1]: sysstat-collect.service: Succeeded.
> >     Apr  4 11:40:13 john systemd[1]: Finished system activity accounting tool.
> > 
> > iterated every 10 minutes for the hour logcheck message.
> > 
> > That is all logcheck is sending; the rest of the normal expected data
> > is omitted.
> > 
> > The files in /var/log/* seem to contain the normal expected data,
> > which is ommitted from the logcheck hourly message.
> > 
> > Any ideas would be appreciated,
> 
> If you have a tool like etckeeper installed, you can consult the git
> history to determine if any changes have been made to the logcheck
> ignore files recently.  Absent that, you can use a command like this:
> 
> sudo find /etc/logcheck/ -type f -exec dpkg -S {} \; | cut -f1 -d':' | sort -u
> 
> That will give you a list of packages that own files under /etc/logcheck
> and then you can consult /var/log/dpkg.log* for recent updates to those
> packages.
> 
> If you just want to know what the next logcheck report will contain
> (e.g., because you've tweaked the ignore filters and you want to make
> sure that it excludes the right thing), you can do something like this:
> 
> sudo -u logcheck -s /usr/sbin/logcheck -t -o
>

I'm not looking at the sources to logcheck and/or sysstat, only the
log files in /var/log/, and all the normal logcheck data is there.

It seems as if both logcheck and debian-sa1 use the same last record
processed reference in /var/log/syslog and /var/log/daemon.log, making
them incompatible with each other.

/etc/cron.d/sysstat runs every 5 minutes, moving the last record
processed reference to the end of both files in /var/log every 5
minutes. When /etc/cron.d/logcheck runs every hour, the last record
processed reference is already at the end of both files in /var/log.

Thus, skipping things like failed logins, etc., in logcheck reporting.

Unless I am mistaken, sysstat was a new default installation in
debian-live-11.2.0-amd64-xfce.iso.

Can /etc/cron.d/sysstat and /etc/cron.daily/sysstat simply be removed?

    Thanks,

    John

-- 

John Conover, conover@panix.com, http://www.johncon.com/

Reply to:

Follow-Ups:
- Re: logcheck shows only accounting tool, Debian 11?
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- logcheck shows only accounting tool, Debian 11?
  - From: conover@panix.com (John Conover)
- Re: logcheck shows only accounting tool, Debian 11?
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: VMWare Horizon Client has glitchy graphics after update to Bullseye
Next by Date: Re: toshiba video problem
Previous by thread: Re: logcheck shows only accounting tool, Debian 11?
Next by thread: Re: logcheck shows only accounting tool, Debian 11?
Index(es):
- Date
- Thread