Re: logcheck shows only accounting tool, Debian 11?

Mon, 04 Apr 2022 20:03:14 -0700 

Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= writes:
> On Mon, Apr 04, 2022 at 12:46:33PM -0700, John Conover wrote:
> > 
> > For the past few days, logcheck is sending:
> > 
> >     Apr  4 11:40:13 john systemd[1]: Starting system activity accounting 
> > tool...
> >     Apr  4 11:40:13 john systemd[1]: sysstat-collect.service: Succeeded.
> >     Apr  4 11:40:13 john systemd[1]: Finished system activity accounting 
> > tool.
> > 
> > iterated every 10 minutes for the hour logcheck message.
> > 
> > That is all logcheck is sending; the rest of the normal expected data
> > is omitted.
> > 
> > The files in /var/log/* seem to contain the normal expected data,
> > which is ommitted from the logcheck hourly message.
> > 
> > Any ideas would be appreciated,
> 
> If you have a tool like etckeeper installed, you can consult the git
> history to determine if any changes have been made to the logcheck
> ignore files recently.  Absent that, you can use a command like this:
> 
> sudo find /etc/logcheck/ -type f -exec dpkg -S {} \; | cut -f1 -d':' | sort -u
> 
> That will give you a list of packages that own files under /etc/logcheck
> and then you can consult /var/log/dpkg.log* for recent updates to those
> packages.
> 
> If you just want to know what the next logcheck report will contain
> (e.g., because you've tweaked the ignore filters and you want to make
> sure that it excludes the right thing), you can do something like this:
> 
> sudo -u logcheck -s /usr/sbin/logcheck -t -o
>

I'm not looking at the sources to logcheck and/or sysstat, only the
log files in /var/log/, and all the normal logcheck data is there.

It seems as if both logcheck and debian-sa1 use the same last record
processed reference in /var/log/syslog and /var/log/daemon.log, making
them incompatible with each other.

/etc/cron.d/sysstat runs every 5 minutes, moving the last record
processed reference to the end of both files in /var/log every 5
minutes. When /etc/cron.d/logcheck runs every hour, the last record
processed reference is already at the end of both files in /var/log.

Thus, skipping things like failed logins, etc., in logcheck reporting.

Unless I am mistaken, sysstat was a new default installation in
debian-live-11.2.0-amd64-xfce.iso.

Can /etc/cron.d/sysstat and /etc/cron.daily/sysstat simply be removed?

    Thanks,

    John

-- 

John Conover, cono...@panix.com, http://www.johncon.com/

Reply via email to