duplicate logwatch mail

airdrummer · #1 1st December 2008, 07:35 PM

i'm just a code pig, asking 4 help;-) i've inherited sysadmining a bunch of fc8 blades (supposed 2 b configured all the same) and i look @ the logwatch emails daily. several of them have been getting multiple executions of logwatch, and just over the holiday, crontab & anacron mail:

>U 1 logwatch@ap2cl06 Thu Nov 27 06:06 53/1759 "Logwatch for ap2cl06 (Linux)"
U 2 logwatch@ap2cl06 Thu Nov 27 09:15 53/1759 "Logwatch for ap2cl06 (Linux)"
U 3 logwatch@ap2cl06 Fri Nov 28 06:06 44/1550 "Logwatch for ap2cl06 (Linux)"
U 4 root@ap2cl06 Fri Nov 28 06:06 27/1018 "Cron <root@ap2cl06> run-parts /etc/cron.daily"
U 5 logwatch@ap2cl06 Fri Nov 28 09:15 44/1550 "Logwatch for ap2cl06 (Linux)"
U 6 root@ap2cl06 Fri Nov 28 09:15 20/816 "Anacron job 'cron.daily' on ap2cl06"
U 7 logwatch@ap2cl06 Sat Nov 29 06:06 44/1550 "Logwatch for ap2cl06 (Linux)"
U 8 root@ap2cl06 Sat Nov 29 06:06 27/1018 "Cron <root@ap2cl06> run-parts /etc/cron.daily"
U 9 logwatch@ap2cl06 Sat Nov 29 09:15 44/1550 "Logwatch for ap2cl06 (Linux)"
U 10 root@ap2cl06 Sat Nov 29 09:15 20/816 "Anacron job 'cron.daily' on ap2cl06"
U 11 logwatch@ap2cl06 Sun Nov 30 06:06 44/1550 "Logwatch for ap2cl06 (Linux)"
U 12 root@ap2cl06 Sun Nov 30 06:06 27/1018 "Cron <root@ap2cl06> run-parts /etc/cron.daily"
U 13 logwatch@ap2cl06 Sun Nov 30 09:15 44/1550 "Logwatch for ap2cl06 (Linux)"
U 14 root@ap2cl06 Sun Nov 30 09:16 20/816 "Anacron job 'cron.daily' on ap2cl06"
U 15 logwatch@ap2cl06 Mon Dec 1 06:06 44/1547 "Logwatch for ap2cl06 (Linux)"
U 16 root@ap2cl06 Mon Dec 1 06:06 27/1015 "Cron <root@ap2cl06> run-parts /etc/cron.daily"
U 17 logwatch@ap2cl06 Mon Dec 1 09:15 44/1547 "Logwatch for ap2cl06 (Linux)"

where are the multiple logwatches coming from, & why is anacron running daily? services shows anacron stopped, and there are no crontab jobs, and i'm not running selinux.

any clues gratefully read;-)

papal · #2 1st December 2008, 07:39 PM

What's in /etc/cron.daily? Usually a bunch of jobs are in there on a default install and are run from /etc/crontab.

airdrummer · #3 1st December 2008, 08:02 PM

-rwxr-xr-x 1 root root 707 2007-09-25 04:38 000-delay.cron
-rwxr-xr-x 1 root root 916 2008-10-30 09:53 0anacron
lrwxrwxrwx 1 root root 45 2008-11-25 16:11 0logwatch -> ../..//usr/share/logwatch/scripts/logwatch.pl
-rwxr-xr-x 1 root root 118 2008-10-10 05:24 cups
-rwxr-xr-x 1 root root 180 2003-07-09 15:36 logrotate
-rwxr-xr-x 1 root root 669 2007-03-12 11:38 makewhatis.cron
-rwxr-xr-x 1 root root 174 2008-06-29 20:53 mlocate.cron
-rwxr-xr-x 1 root root 2181 2006-06-21 06:07 prelink
-rwxr-xr-x 1 root root 519 2007-10-17 05:36 readahead.cron
-rwxr-xr-x 1 root root 296 2007-11-12 02:25 rpm
-rwxr-xr-x 1 root root 301 2007-10-16 12:07 tmpwatch

hmm, i'm not sure why 0logwatch has changed...

[14:50]$ ll /usr/share/logwatch/scripts/logwatch.pl
-rwxr-xr-x 1 root root 50855 2008-11-11 06:42 /usr/share/logwatch/scripts/logwatch.pl

this looks like an un-modified script, and

-rw-r--r-- 1 root root 103 2008-11-11 06:42 /etc/logwatch/conf/logwatch.conf

is empty, with

-rw-r--r-- 1 root root 4982 2008-11-11 06:42 /usr/share/logwatch/default.conf/logwatch.conf

also looking unmodified...and identical to that on another box that isn't getting duplicates...

papal · #4 1st December 2008, 08:10 PM

Maybe do a diff on /etc/crontab on this box and one on a box that works. Then do the same for /usr/share/logwatch/scripts/logwatch.pl. That'd be my suggestion to start with.

airdrummer · #5 2nd December 2008, 11:51 AM

no diffs between the problem box & a good one...

papal · #6 2nd December 2008, 02:26 PM

Do the actual emails tell you anything or give any clues?

airdrummer · #7 2nd December 2008, 02:52 PM

ok, today i only got the 9:15 logwatch:

>N 17 logwatch@ap2cl06 Tue Dec 2 09:15 70/2138 "Logwatch for ap2cl06 (Linux)"

the anacron emails all contain

/etc/cron.daily/mlocate.cron:
/usr/bin/updatedb: `/var/lib/mlocate/mlocate.db' is locked (probably by an earlier updatedb)

as do the crontab emails...

i've diffed all the /etc/cron... & come up with 1 diff:

etc/cron.d/smolt
5c5
< 20 6 11 * * smolt /usr/bin/smoltSendProfile -c > /dev/null 2>&1
---
> 20 3 11 * * smolt /usr/bin/smoltSendProfile -c > /dev/null 2>&1

papal · #8 2nd December 2008, 03:06 PM

Try killing any updatedb processes and then try running updatedb manually from the command line. If you can get it to work cleanly, then you're probably all fixed up

airdrummer · #9 2nd December 2008, 03:18 PM

no updatedb procs running, it ran cleanly from the cli...i'll let you know tomorrow how it went.

airdrummer · #10 3rd December 2008, 07:09 PM

U 13 logwatch@ap2cl06 Mon Dec 1 06:06 44/1547 "Logwatch for ap2cl06 "
U 14 logwatch@ap2cl06 Tue Dec 2 09:15 71/2148 "Logwatch for ap2cl06 "
U 15 logwatch@ap2cl06 Wed Dec 3 06:06 66/2032 "Logwatch for ap2cl06 "
>N 16 logwatch@ap2cl06 Wed Dec 3 09:15 65/2022 "Logwatch for ap2cl06 "

another machine skipped yesterday:

U 9 logwatch@ap2cl01 Mon Dec 1 09:14 46/1631 "Logwatch for ap2cl01 "
U 10 logwatch@ap2cl01 Wed Dec 3 04:54 57/1901 "Logwatch for ap2cl01 "

another duped on monday but has been ok since:

U 10 logwatch@ap2cl02 Mon Dec 1 04:44 44/1547 "Logwatch for ap2cl02 "
U 11 root@ap2cl02 Mon Dec 1 04:44 27/1015 "Cron <root@ap2cl02> r"
U 12 logwatch@ap2cl02 Mon Dec 1 08:35 44/1547 "Logwatch for ap2cl02 "
U 13 logwatch@ap2cl02 Tue Dec 2 04:44 54/1806 "Logwatch for ap2cl02 "
U 14 logwatch@ap2cl02 Wed Dec 3 04:44 53/1756 "Logwatch for ap2cl02 "

i've done a diff on all of /etc/cron*, nothing there...

marcrblevins · #11 13th December 2008, 03:09 AM

I compared your cron.daily with mine. I don't have readahead.cron

Can you:

Code:

su
cat /etc/cron.daily/readahead.cron

vallimar · #12 13th December 2008, 02:03 PM

readahead.cron doesn't output anything, only writes to files except in error,
it's the new preload system as part of faster bootups.

@airdrummer:

From checking your logfile, anacron and vixie-cron are both executing
the run-parts from /etc/crontab daily. This is why you are getting double mailings.

I've never used anacron so I couldn't say how to configure it to run parallel with
vixie cron without causing this issue, so I can only suggest you read up on it or
just remove it if your blades are mostly-on, making it rather useless anyways.

Otherwise, make sure there aren't other entries causing this to run in
/etc/cron.d/* or in a crontab at /var/spool/cron/* and that /etc/crontab
doesn't have extra (bad) entries.

airdrummer · #13 16th December 2008, 04:29 PM

i pulled 0anacron from .daily, that seems to have taken care of it, thanx...

but i'm still getting

/usr/bin/updatedb: `/var/lib/mlocate/mlocate.db' is locked (probably by an earlier updatedb)

from /etc/cron.daily/mlocate.cron...

vallimar · #14 16th December 2008, 09:06 PM

Hmm, if you don't have any other locate/updatedb jobs running then it might be a stale lock.
From browsing the source quickly, it uses fcntl locking. I'm not a programmer so I don't really
know what that involves. There might be a tmpfile lock someplace, or it could be some posix
thing inside the kernel and a reboot might be simplest if nothing else can be found.

It might be possible it's a permissions issue thing as well, so I would check the file and
directory permissions. It might even be possible to just remove the file and regenerate
a new one by manually executing (as root) /etc/cron.daily/mlocate.cron.