The file /usr/bin/logcheck.sh needs to be edited by the user (to give the names of the log files which should be checked). However, it isn't marked as a config file in the RPM, so those changes get overwritten whenever an updated RPM is installed.
Yep. That's an oversight. Instead of just marking it as config, I have split out the configuration parameters into a config file, /etc/logcheck/logcheck.conf. It should make it completely unnecessary to edit /usr/bin/logcheck . I have uploaded the SRPM and RPM to this location if you are interested. If you try the updated package, please let me know what you think: http://people.redhat.com/timp/RPMS/logcheck-1.1.1-5.i386.rpm http://people.redhat.com/timp/SRPMS/logcheck-1.1.1-5.src.rpm Tim
Looks like a very good idea - thanks! I've attached a patch against your new version which does two things: - changes the checklog() function in logcheck.conf into a LOGFILES variable; this way the "internals" are hidden from the logcheck.conf file (without any loss of functionality, as far as I can see) - (sorry if this should have been a separate bug report...) A while back I was finding that if logcheck got interrupted mid-run (by a shutdown, for example), its findings got left lying around in the files in $TMPDIR *and would not get picked up by the next run*. This was pretty bad. A few times interesting log entries went unnoticed by me because of this. So I patched logcheck to create a unique temp directory under $TMPDIR for each run, and at the beginning of the run check to see if any such temp dirs had been left lying around, and incorporate their contents into the current run if so. So I've included those changes in this patch as well. Let me know what you think... Thanks, Chris.
Created attachment 12172 [details] Change checklog() to LOGFILES, and fix problem with interrupted runs
I moved the new variables you created in your patch to the config file, but the use of mktemp is definitely a plus. I have merged the modified patch into my own. Thanks. Tim
Created attachment 12183 [details] updated patch
Great. Thinking about it, though, I've been stupid. The "rm -rf $REALTMPDIR" followed by "mkdir $REALTMPDIR" completely defeats the point of using mktemp (and isn't needed). We should get rid of those two lines (lines 37 and 38 in the new patched version of logcheck.sh). Cheers, Chris.
Fixed. Tim
The errata was released today. I am resolving this as errata. Tim
Great, thanks. Having thought further, I'm not sure I agree with your decision to move *all* the new variables into the config file. OLDTMPDIRS, REALTMPDIR, CHECKFILE, CHECKOUTPUT and CHECKREPORT are "internal" variables for the private use of the script, and the user really shouldn't be messing around with them, so I don't think they should be in the config file. Personally I'd put them back into /usr/bin/logcheck.sh - but it's not a big deal. Thanks again for incorporating all the changes. Cheers, Chris.
There's a bug in my code which incorporates contents of previous interrupted runs: I've been finding when I have vast quantities of log messages, on a heavily-loaded system, the previous run of logcheck hasn't finished when the next one gets started. But then the new run tries to incorporate the data from the old run, which is still working on it. Bad news. Patch attached, which only incorporates old run data if it's more than 3 hours old. 3 hours is a bit arbitrary: change it if you like, or it could even be set as another option in the config file. Cheers, Chris.
Created attachment 18610 [details] Patch to make logcheck only incorporate previous data older than 3 hours
I have incorporated the patch and put it in the tree here. I have uploaded it to here for you: http://people.redhat.com/timp/RPMS/logcheck-1.1.1-7.i386.rpm and http://people.redhat.com/timp/SRPMS/logcheck-1.1.1-7.src.rpm I am resolving this as "rawhide" Tim