1 |
On 08/05/2017 14:54, Peter Humphrey wrote: |
2 |
> Hello list, |
3 |
> |
4 |
> The logging section of the security handbook[1] recommends using app- |
5 |
> admin/logcheck to monitor logs, but I can't get past a permission problem. |
6 |
> Logcheck sends me an e-mail which complains: |
7 |
> |
8 |
> ================ |
9 |
> Could not run logtail or save output |
10 |
> |
11 |
> Check temporary directory: /tmp/logcheck.thLHYh |
12 |
> |
13 |
> Also verify that the logcheck user can read all files referenced in |
14 |
> /etc/logcheck/logcheck.logfiles! |
15 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
16 |
|
17 |
you didn't do this, or didn't show that you did |
18 |
|
19 |
> ================ |
20 |
> |
21 |
> There's no sign of any /tmp/log* file. /var/log/messages is the only entry in |
22 |
> /etc/logcheck/logcheck.logfiles . |
23 |
> |
24 |
> I tried changing /var/log/messages thus: |
25 |
> |
26 |
> # chmod g+r /var/log/messages |
27 |
bad idea |
28 |
> # chown :logcheck /var/log/messages |
29 |
worse bad idea |
30 |
> |
31 |
> ...and ran logcheck, only to find that /var/log/messages was back to its |
32 |
> original permissions: |
33 |
> |
34 |
> ls -l /var/log/messages |
35 |
> -rw------- 1 root root 139K May 8 13:27 /var/log/messages |
36 |
> |
37 |
> ...and I got the same e-mail as before. |
38 |
> |
39 |
> Has anyone succeeded in running logcheck? What's the magic recipe? I see |
40 |
> that app-admin/logcheck is maintainer-wanted, so there's no point in raising |
41 |
> a bug report. |
42 |
> |
43 |
> [1] https://wiki.gentoo.org/wiki/Security_Handbook/Logging |
44 |
> |
45 |
|
46 |
|
47 |
-- |
48 |
Alan McKinnon |
49 |
alan.mckinnon@×××××.com |