Hello Richard, first of all, to test other configuration, I downgraded logcheck to the previous version - now everything is back to normal. So this is not an exim issue or so, but is clearly caused by the updated package. (Logcheck is running on this machines for many years).
For further reporting, I return to the current version with the bugs.
Am Thu, May 15, 2025 at 09:29:41PM +0100 schrieb Richard Lewis:
> On Thu, 15 May 2025 at 19:58, Helge Kreutzmann <deb...@helgefjell.de> wrote:
> > Am Wed, May 14, 2025 at 10:55:48PM +0100 schrieb Richard Lewis:
> > > On Wed, 14 May 2025 at 20:36, Helge Kreutzmann <deb...@helgefjell.de>
> > > wrote:
> > >
> > > > Since todays update of logcheck I get every message twice,
> > >
> > > does message mean every email, email from logcheck, or line in the
> > > logceck report?
> >
> > Every e-mail comes twice. But at different times, i.e. it take a while
> > until the 2nd e-mail comes. In my sample the first one comes 2 minutes
> > past the hour, the 2nd one arrives 7 - 17 minutes later.
>
> this does sound like both the cron and journal are running, which
> shouldnt happen
> what is the output of
>
> systemctl list-timers --all logcheck
NEXT LEFT LAST PASSED UNIT
ACTIVATES
Fri 2025-05-16 19:02:00 CEST 47min Fri 2025-05-16 18:02:01 CEST 12min ago
logcheck.timer logcheck.service
1 timers listed.
> > > what are the permissions on /var/log/exim4/ and
> >
> > drwxr-s--- 2 Debian-exim adm 4096 15. Mai 19:40 /var/log/exim4/
>
> > > is anything in paniclog?
> > There is no such file on my system.
>
> permissions look fine - is the logcheck user in the adm group? (grep
> logcheck /etc/group )
adm:x:4:logcheck
systemd-journal:x:101:logcheck
logcheck:x:123:
> what is in exim log (/var/log/exim4/mainlog and
> /var/log/exim4/rejectlog) for the mail?
...
2025-05-16 18:02:04 1uFxVc-000000006vP-3jA0 <= logch...@twentytwo.helgefjell.de
U=logcheck P=local S=1809
2025-05-16 18:10:02 1uFxdJ-0000000072V-2j7j <= kreutzmannhe...@helgefjell.de
H=(twentytwo.helgefjell.de) [::1] P=esmtp S=5865
id=courier.00000000682761a0.0039b...@mail.helgefjell.de
2025-05-16 18:10:02 1uFxdJ-0000000072V-2j7j => helge <helge@localhost>
R=procmail T=procmail_pipe
2025-05-16 18:10:02 1uFxdJ-0000000072V-2j7j Completed
2025-05-16 18:10:02 1uFxdJ-0000000072V-32XW <= kreutzmannhe...@helgefjell.de
H=(twentytwo.helgefjell.de) [::1] P=esmtp S=5184
id=courier.00000000682761a0.0039b...@mail.helgefjell.de
2025-05-16 18:10:02 1uFxdJ-0000000072V-32XW => helge <helge@localhost>
R=procmail T=procmail_pipe
2025-05-16 18:10:02 1uFxdJ-0000000072V-32XW Completed
...
The last rejectlog is from December 2024.
> > > what lines are in the journal when logcheck runs?
> >
> > Well, I see the following:
> > Mai 15 20:02:01 twentytwo CRON[18514]: pam_unix(cron:session): session
> > opened for user logcheck(uid=113) by logcheck(uid=0)
> > Mai 15 20:02:01 twentytwo systemd[1]: Starting logcheck.service -
> > logcheck...
> > Mai 15 20:02:01 twentytwo CRON[18517]: (logcheck) CMD ( if [ ! -d
> > /run/systemd/system ] && [ -x /usr/sbin/logcheck ]; then nice -n10
> > /usr/sbin/logcheck; fi)
> > Mai 15 20:02:01 twentytwo CRON[18514]: pam_unix(cron:session): session
> > closed for user logcheck
> > Mai 15 20:02:08 twentytwo systemd[1]: logcheck.service: Deactivated
> > successfully.
> > Mai 15 20:02:08 twentytwo systemd[1]: Finished logcheck.service - logcheck.
> > Mai 15 20:02:08 twentytwo systemd[1]: logcheck.service: Consumed 7.038s CPU
> > time, 249.2M memory peak.
> >
> > But I'm no journal expert, I primarily look at the classic logs.
>
> this looks ok to me, i think: looks like the cron did nothing but the
> timer ran (just check: this should say systemd:
>
> if [ ! -d /run/systemd/system ] && [ -x /usr/sbin/logcheck ]; then
> echo "cron" else echo "systemd"; fi
Yes:
# These do nothing under systemd because the systemd timer will take precedence
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
@reboot logcheck if [ ! -d /run/systemd/system ] && [ -x
/usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck -R; fi
2 * * * * logcheck if [ ! -d /run/systemd/system ] && [ -x
/usr/sbin/logcheck ]; then nice -n10 /usr/sbin/logcheck; fi
> what about at the time of the second mail?
It comes a random time afterwards, sometime > 20 minutes later.
> > > what happens if you run logcheck manually? with the -d option?
I get a logcheck e-mail, this time with the panic only:
2025-05-16T18:02:04.908386+02:00 twentytwo exim[26627]: 2025-05-16 18:02:04
1uFxVc-000000006vP-3jA0 failed to write to main log: length=98 result=-1
errno=9 (Bad file descriptor)
2025-05-16T18:02:04.910317+02:00 twentytwo exim[26627]: write failed on panic
log: length=123 result=-1 errno=9 (Bad file descriptor)
With -d:
I get tons of output, looks like my patterns and more, which ends in:
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] report (System Events): Nothing to report
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] Finished check for system events
(SYSTEM=0)
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] Adding the footer to the report
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] Killing lockfile-touch - 30747
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] Removing lockfile:
/run/lock/logcheck/logcheck.lock
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] cleanup: Removing working dir:
/tmp/logcheck.3E1ZGG
DEBUG: [Fr 16. Mai 18:26:35 CEST 2025] cleanup: Done
> it's especially the part where it sends the email that might help
>
> > > what is in logcheck.conf?
> >
> > The non empty/non comment lines are:
> > REPORTLEVEL="server"
> > SENDMAILTO="logcheck"
>
> looks fine - does sending a mail to the logcheck user work? what is
> grep logcheck /etc/aliases
logcheck: root
Maybe you check your updates from the last version and maybe I can
locally mask/undo them to find out which causes the problem?
Greetings
Helge
--
Dr. Helge Kreutzmann deb...@helgefjell.de
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
signature.asc
Description: PGP signature
