On Thu, 15 May 2025 at 19:58, Helge Kreutzmann <[email protected]> wrote: > > Hello Richard, > Am Wed, May 14, 2025 at 10:55:48PM +0100 schrieb Richard Lewis: > > On Wed, 14 May 2025 at 20:36, Helge Kreutzmann <[email protected]> wrote: > > > > > Since todays update of logcheck I get every message twice, > > > > does message mean every email, email from logcheck, or line in the > > logceck report? > > Every e-mail comes twice. But at different times, i.e. it take a while > until the 2nd e-mail comes. In my sample the first one comes 2 minutes > past the hour, the 2nd one arrives 7 - 17 minutes later.
this does sound like both the cron and journal are running, which shouldnt happen what is the output of systemctl list-timers --all logcheck > Otherwise the e-mails look the same (except the deilvery date). > > > is this perhaps because logcheck is reporting messages that are in the > > journal and rsyslog? (it should!) > > Maybe. if the emails come at different times then this shouldnt be the issue > > > 2025-05-14T19:02:04.733378+02:00 twentytwo exim[42129]: 2025-05-14 > > > 19:02:04 1uFFUa-00000000AxR-2z0z failed to write to main log: length=98 > > > result=-1 errno=9 (Bad file descriptor) > > > 2025-05-14T19:02:04.735285+02:00 twentytwo exim[42129]: write failed on > > > panic log: length=123 result=-1 errno=9 (Bad file descriptor) > > > > > > Since exim (also in conjunction with previous logcheck) works fine > > > > this is exim saying that it was unable to write to > > /var/log/exim4/paniclog and failing - this very much suggests exim is > > not working fine > > if you are getting an emial from logcheck then that suggests logcheck > > is doing it's job and showing an issue. > > I can downgrade logcheck to see if this goes away as well. But in the > exim logs themselves I could not see any issue, also there is more > than sufficient space on all relevant partitions. i would think this is systemd hardening, but there isnt any. > > what are the permissions on /var/log/exim4/ and > > drwxr-s--- 2 Debian-exim adm 4096 15. Mai 19:40 /var/log/exim4/ > > is anything in paniclog? > There is no such file on my system. permissions look fine - is the logcheck user in the adm group? (grep logcheck /etc/group ) what is in exim log (/var/log/exim4/mainlog and /var/log/exim4/rejectlog) for the mail? > > what lines are in the journal when logcheck runs? > > Well, I see the following: > Mai 15 20:02:01 twentytwo CRON[18514]: pam_unix(cron:session): session opened > for user logcheck(uid=113) by logcheck(uid=0) > Mai 15 20:02:01 twentytwo systemd[1]: Starting logcheck.service - logcheck... > Mai 15 20:02:01 twentytwo CRON[18517]: (logcheck) CMD ( if [ ! -d > /run/systemd/system ] && [ -x /usr/sbin/logcheck ]; then nice -n10 > /usr/sbin/logcheck; fi) > Mai 15 20:02:01 twentytwo CRON[18514]: pam_unix(cron:session): session closed > for user logcheck > Mai 15 20:02:08 twentytwo systemd[1]: logcheck.service: Deactivated > successfully. > Mai 15 20:02:08 twentytwo systemd[1]: Finished logcheck.service - logcheck. > Mai 15 20:02:08 twentytwo systemd[1]: logcheck.service: Consumed 7.038s CPU > time, 249.2M memory peak. > > But I'm no journal expert, I primarily look at the classic logs. this looks ok to me, i think: looks like the cron did nothing but the timer ran (just check: this should say systemd: if [ ! -d /run/systemd/system ] && [ -x /usr/sbin/logcheck ]; then echo "cron" else echo "systemd"; fi what about at the time of the second mail? > > what happens if you run logcheck manually? with the -d option? > > I'll check that later. it's especially the part where it sends the email that might help > > what is in logcheck.conf? > > The non empty/non comment lines are: > REPORTLEVEL="server" > SENDMAILTO="logcheck" looks fine - does sending a mail to the logcheck user work? what is grep logcheck /etc/aliases
