[Bug 1059854] Re: auth.log is empty

nick parlante nick.parlante at cs.stanford.edu
Tue Oct 2 23:22:45 UTC 2012 

Ok, I have a theory as to what is causing this bug and why it is hard to
reproduce.

The /etc/logrotate.conf specifies "create" and later the
logrotate.d/rsyslog lists a bunch of log files.

The behavior of "create" is that it creates the new file copying the
owner etc. from the existing file. However, this creates a window in
rare cases where there is no existing log file for whatever reason, then
the file is created with some default owner and group. The logrotate man
page does not specify what the default is, but I'm guessing it's
messagebus:adm given the large number of misc log files on my system
with that mode. Unfortunately, once the file has the wrong mode,
logrotate keeps patterning off it with each rotation, so you are stuck.

One solution would be to specify "nocreate" in logrotate.d/rsyslog, so
just don't rely on logrotate creating empty files. it seems easier to
have rsyslog or whatever create the log files with the right mode etc,
instead of having rsyslog do it 99.9% of the time, but logrotate the
other 0.1% of the time and you have to keep them in sync. Or if creating
empty log files at rotate time is important, use the create <owner>
<group> option in logrotate.d/rsyslog to specify the right mode for the
log files.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1059854

Title:
  auth.log is empty

Status in “rsyslog” package in Ubuntu:
  New

Bug description:
  On a fresh 12.04 64 bit machine in the default state + sshd installed,
  the auth.log file remained empty, when normally it would fill up with
  sshd hacking attempts. The sshd_config was left at its default, which
  should record login failures.

  I have figured out a workaround, which is probably a good clue about
  the underlying bug.

  It turns out that the permissions of auth.log were:  messagebus
  (owner) adm (group)

  doing a

  sudo chown syslog /etc/auth.log

  fixed the problem instantly, with failed logins now going to the file
  as expected. I don't know if this "fix" will survive log rotation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1059854/+subscriptions

More information about the foundations-bugs mailing list