On Monday 08 May 2017 17:32:07 Alan McKinnon wrote: > On 08/05/2017 14:54, Peter Humphrey wrote: > > Hello list, > > > > The logging section of the security handbook[1] recommends using app- > > admin/logcheck to monitor logs, but I can't get past a permission > > problem. Logcheck sends me an e-mail which complains: > > > > ================ > > Could not run logtail or save output > > > > Check temporary directory: /tmp/logcheck.thLHYh > > > > Also verify that the logcheck user can read all files referenced in > > /etc/logcheck/logcheck.logfiles! > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > you didn't do this, or didn't show that you did
Yes, I did - look four lines down: > > ================ > > > > There's no sign of any /tmp/log* file. /var/log/messages is the only > > entry in /etc/logcheck/logcheck.logfiles . > > > > I tried changing /var/log/messages thus: > > > > # chmod g+r /var/log/messages > > bad idea > > > # chown :logcheck /var/log/messages > > worse bad idea Clutching at straws. Debugging. Trying to understand. As /var/log/messages is so determinedly accessible only to root, can any log analyser ever work? I could make syslog-ng record somewhere else in parallel, but then that place would suffer the same vulnerability as would result from opening access to the original. -- Regards Peter
