On Sun, Aug 26, 2001 at 09:04:09AM -0500, David Sowder wrote: >>*** WARNING ***: Log file /var/log/mail.log is smaller than last time checked! >>*************** This could indicate tampering. > [snip] > Did you received the logcheck warning in the logcheck message sent in the > 7am hour for the previous hour? It's quite possible that you have a machine > doing what one of mine is doing: On Sundays, one of the logs gets rotated > twice. The logfile gets rotated once for a weekly cron job and then > rotated again for a daily cron job (or maybe the other way around). You > might check into that and find that your machine has not been compromised > at all... :)
I had a similar message this morning, but for auth.log. Looking into it, /var/log/auth.log started at 7:47am; /var/log/auth.log.0 started at 7:27am. :investigates... This problem is caused when your logfile exceeds 2 Megs, which causes it to be rotated by /usr/sbin/syslogd-listfiles, as well as by logrotate. It's not an issue unless you've had a lot of recent activity, which is why you don't get this message every week. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=102138&repeatmerged=yes There's even a patch in the bug report that prevents rotation if *.log.0 is less than 6hour old. -- Jesse
