Hi,
# uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
but still no email.
As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
Where should I start looking to figure out why logwatch seems not to be doing its thing?
Thanks in advance, -Ray
On Thu, Aug 20, 2009 at 3:55 PM, Ray Leventhal centos@swhi.net wrote:
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
I'd check the /var/spool/cron log to see if it's actually running properly. After that I'd check the maillogs to see if there was a delivery problem.
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
Try that again, but tail -f /var/log/maillog in another window (if there's not alot of mail traffic on that host) to see if it's generating any mail logs
but still no email.
As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
What are the permissions on /usr/share/logwatch/scripts/logwatch.pl? Check to see if any updates were applied to logwatch recently (yum info or rpm -qi logwatch) and check your logwatch config files to see if anything changed there.
Hope this helps, Cliff
On Thu, Aug 20, 2009 at 3:55 PM, Ray Leventhalcentos@swhi.net wrote:
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
Where should I start looking to figure out why logwatch seems not to be doing its thing?
Are any emails going out? Perhaps sendmail died? If it were me, I would start by checking the mail queue (# mailq), the mail log (/var/adm/maillog), and the sendmail mail transport agent (# service sendmail status). I use a default setup which requires sendmail to be running for delivery of mail to root@locahost.
gd
Hi,
On Thu, Aug 20, 2009 at 16:55, Ray Leventhalcentos@swhi.net wrote:
I ran logwatch at the command line: logwatch --detail medium --mailto root@fqdn.example.com but still no email.
Can you send e-mails using other programs on that machine?
For instance:
$ echo test | mail -s test root@fqdn.example.com
Do you receive the test e-mail after sending it like that? If not, that's where you should look...
HTH, Filipe
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
but still no email.
Try sending it to an email outside of your domain like mytest@gmail.com or whatever your mail is. More than likely you reset or started some kind of program like spam assassin. There are enough bad ips, urls, etc to just make it get killed by spamassassin or any other kind of software for mail.
Try whitelisting it in procmail or whatever you are using.
Worked for me
Ray Leventhal wrote:
Hi,
# uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
but still no email.
As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
Where should I start looking to figure out why logwatch seems not to be doing its thing?
Thanks in advance, -Ray
Thanks to all who replied. Mystery is nearly solved -
I took the suggestions posted here.
$ echo test | mail -s test root@fqdn.example.com
sent email to root just fine. I tried it with the FQDN, localhost and just root...all worked (I thought they would as this is a public facing mail server and works for hundreds of customers, but still...one tries to eliminate stuff :)
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
Try that again, but tail -f /var/log/maillog in another window (if there's not alot of mail traffic on that host) to see if it's generating any mail logs
Here's what told the tale. Yes, I saw an entry while running
#tail -f /var/log/maillog|grep root
But what was seen was interesting:
Aug 21 12:16:25 <> MailScanner[12390]: Message n7LGGNVM013365 from 127.0.0.1 (root@fqdn.example.com) to fqdn.example.com is too big for spam checks (206288 > 150000 bytes)
Then, checking the root account in (al)pine, this:
Date: Fri, 21 Aug 2009 12:16:26 -0400 From: MailScanner postmaster@fqdn.example.com To: postmaster@fqdn.example.com Subject: Virus Detected
The following e-mails were found to have: Virus Detected
Sender: root@fqdn.example.comIP Address: 127.0.0.1 Recipient: root@fqdn.example.com Subject: Logwatch for fqdn.example.com (Linux) MessageID: n7LGGNVM013365 Quarantine: Report: Clamd: message was infected: Email.Phishing.DblDom-124 FOUND
Full headers are:
X-ClientAddr: 127.0.0.1 Return-Path: <~Ag> Received: from fqdn.example.com (localhost.localdomain [127.0.0.1]) by fqdn.example.com (8.13.8/8.13.8) with ESMTP id n7LGGNVM013365 for root@fqdn.example.com; Fri, 21 Aug 2009 12:16:25 -0400 Full-Name: root Received: (from root@localhost) by fqdn.example.com (8.13.8/8.13.8/Submit) id n7LGEbuj012759; Fri, 21 Aug 2009 12:14:37 -0400 Date: Fri, 21 Aug 2009 12:14:37 -0400 Message-Id: 200908211614.n7LGEbuj012759@fqdn.example.com To: root@fqdn.example.com From: root@fqdn.example.com Subject: Logwatch for fqdn.example.com (Linux) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1"
-- MailScanner Email Virus Scanner www.mailscanner.info
So while I now understand that they've been running on schedule and why I've not been seeing them...I still am in a bit of a quandry as I would *like* to receive them.
Should Mailscanner's threshold be addressed or is there something I'm missing here?
Thanks for the help so far and for any forthcoming.
-Ray
On Friday 21 August 2009 17:29:09 Ray Leventhal wrote:
So while I now understand that they've been running on schedule and why I've not been seeing them...I still am in a bit of a quandry as I would *like* to receive them.
Should Mailscanner's threshold be addressed or is there something I'm missing here?
Coming in late here, so can I ask one stupid question? Do you receive *any* messages addressed to root? I presume you have aliased it? Oops, two questions ;-)
Anne
Anne Wilson wrote:
On Friday 21 August 2009 17:29:09 Ray Leventhal wrote:
So while I now understand that they've been running on schedule and why I've not been seeing them...I still am in a bit of a quandry as I would *like* to receive them.
Should Mailscanner's threshold be addressed or is there something I'm missing here?
Coming in late here, so can I ask one stupid question? Do you receive *any* messages addressed to root? I presume you have aliased it? Oops, two questions ;-)
Anne
Hi Anne,
Better late than not at all :) Thanks for your reply
Yes, root is getting mail from other daemons as well as the typical postmaster stuff.
Best, -Ray
Ray Leventhal wrote on Fri, 21 Aug 2009 12:29:09 -0400:
Should Mailscanner's threshold be addressed or is there something I'm missing here?
The threshold is ok. What happened is that this message included phishing text that clamd tripped on. You want to put *all* your servers on the MailScanner whitelist (the noscan whitelist, not the nospam whitelist). That's the first thing you do after setting up MailScanner (or any similar application). Btw, there is an excellent MailScanner mailing list.
Hint: you would have resolved the problem *immediately* by yourself if you were using Mailwatch as well.
Kai
Ray Leventhal wrote:
Hi,
# uname -a Linux obfuscated.example.com 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:23:34 EDT 2009 i686 i686 i386 GNU/Linux
I noticed a few days ago that I'm not getting my logwatch emails to the root account any longer, and while I've definitely been applying updates from base, no other changes have happened on this box.
I ran logwatch at the command line:
logwatch --detail medium --mailto root@fqdn.example.com
but still no email.
As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
Where should I start looking to figure out why logwatch seems not to be doing its thing?
Thanks in advance, -Ray
Thanks again to all who replied. The situation seems to have remedied itself with a log rotation (scheduled). Once the offending stuff was no longer part of the body of the logwatch emails, Mailscanner/clamd had nothing to complain about and this morning I find the weekend's logwatch emails nestled comfortably in root's inbox.
Next step for me is finding where to allow logwatch emails regardless of their contents.
Again, thanks to all, -Ray
Subject: Re: [CentOS] logwatch not mailing [SOLVED]
As expected, /etc/cron.daily has the following entry: lrwxrwxrwx 1 root root 39 Jul 30 2008 0logwatch -> /usr/share/logwatch/scripts/logwatch.pl
Where should I start looking to figure out why logwatch
seems not to
be doing its thing?
Thanks again to all who replied. The situation seems to have remedied itself with a log rotation (scheduled). Once the offending stuff was no longer part of the body of the logwatch emails, Mailscanner/clamd had nothing to complain about and this morning I find the weekend's logwatch emails nestled comfortably in root's inbox.
Next step for me is finding where to allow logwatch emails regardless of their contents.
Again, thanks to all, -Ray
I posted earlier and I will repeat it again. I had the same issue as soon as I had set up spamassassin correctly as well as my other mail stuff. I use procmail and adding the email address to the whitelist is the way to go. You can set the email in the logwatch files for where it goes and where it comes from. Mine came from 'logwatch@mail.myserver.com' and I just white listed that.
It was the only way I could get it to work.
-
Anne Wilson -
Bob Hoffman -
Cliff Nadler -
Filipe Brandenburger -
Garry.Dale -
Kai Schaetzl -
Ray Leventhal