Ray Leventhal wrote:
Hi,
# uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
but still no email.
As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
Where should I start looking to figure out why logwatch seems not to be doing its thing?
Thanks in advance, -Ray
Thanks to all who replied. Mystery is nearly solved -
I took the suggestions posted here.
$ echo test | mail -s test root@fqdn.example.com
sent email to root just fine. I tried it with the FQDN, localhost and just root...all worked (I thought they would as this is a public facing mail server and works for hundreds of customers, but still...one tries to eliminate stuff :)
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
Try that again, but tail -f /var/log/maillog in another window (if there's not alot of mail traffic on that host) to see if it's generating any mail logs
Here's what told the tale. Yes, I saw an entry while running
#tail -f /var/log/maillog|grep root
But what was seen was interesting:
Aug 21 12:16:25 <> MailScanner[12390]: Message n7LGGNVM013365 from 127.0.0.1 (root@fqdn.example.com) to fqdn.example.com is too big for spam checks (206288 > 150000 bytes)
Then, checking the root account in (al)pine, this:
Date: Fri, 21 Aug 2009 12:16:26 -0400 From: MailScanner postmaster@fqdn.example.com To: postmaster@fqdn.example.com Subject: Virus Detected
The following e-mails were found to have: Virus Detected
Sender: root@fqdn.example.comIP Address: 127.0.0.1 Recipient: root@fqdn.example.com Subject: Logwatch for fqdn.example.com (Linux) MessageID: n7LGGNVM013365 Quarantine: Report: Clamd: message was infected: Email.Phishing.DblDom-124 FOUND
Full headers are:
X-ClientAddr: 127.0.0.1 Return-Path: <~Ag> Received: from fqdn.example.com (localhost.localdomain [127.0.0.1]) by fqdn.example.com (8.13.8/8.13.8) with ESMTP id n7LGGNVM013365 for root@fqdn.example.com; Fri, 21 Aug 2009 12:16:25 -0400 Full-Name: root Received: (from root@localhost) by fqdn.example.com (8.13.8/8.13.8/Submit) id n7LGEbuj012759; Fri, 21 Aug 2009 12:14:37 -0400 Date: Fri, 21 Aug 2009 12:14:37 -0400 Message-Id: 200908211614.n7LGEbuj012759@fqdn.example.com To: root@fqdn.example.com From: root@fqdn.example.com Subject: Logwatch for fqdn.example.com (Linux) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1"
-- MailScanner Email Virus Scanner www.mailscanner.info
So while I now understand that they've been running on schedule and why I've not been seeing them...I still am in a bit of a quandry as I would *like* to receive them.
Should Mailscanner's threshold be addressed or is there something I'm missing here?
Thanks for the help so far and for any forthcoming.
-Ray