Logwatch stopped working after I did something stupid

Fri Aug 22 20:55:56 UTC 2014

On Fri, 22 Aug 2014 10:19:48 -0700, Knute Johnson wrote:

> So I was trying to clean up my /var/log directory and remove some of the
> older .gz files and I mistyped the rm command and erased all the files.
> Now logwatch doesn't send me an email any more, I'm assuming because
> there are no log files any more.  I thought they would just regenerate
> themselves but the base file must have to be there before the services
> write to the logs.  Is there a script or some simple way to recreate the
> base files?
> 

Have you rebooted your system? I was under the impression that usually 
stopping and then restarting the relevant services (rsyslog, udev, etc.) 
will create the log files again. Rebooting is just an easier way to get 
most of them recreated at once. Others may not be created until their 
associated application or service is run. 

If its impractical to reboot at the moment, you could try forcing a log 
rotation with "sudo logrotate -v -f /etc/logrotate.conf" New log files 
will be created and their associated services will be stopped and 
restarted so that they write to them. Not all log files in /var/log are 
handled by the logrotate script, so you may have to manually recreate 
them.

Lastly, some log files are created by package install scripts. Grepping 
through /var/lib/dpkg/info/*.preinst and *.postinst will give you an idea 
of what logs you need to recreate if the above solutions don't work.

For instance, first get a list of packages whose install scripts create 
log files:

$ pwd
/var/lib/dpkg/info

$ grep -rl var/log *.postinst
acpid.postinst
apt.postinst
base-files.postinst
dpkg.postinst
ecryptfs-utils.postinst
fontconfig.postinst
initscripts.postinst
linux-image-3.13.0-32-generic.postinst
linux-image-3.13.0-34-generic.postinst
login.postinst
passwd.postinst
ppp.postinst
speech-dispatcher.postinst
update-manager-core.postinst

Then using that list, look at each install script to see what log files 
it references:

$ grep var/log base-files.postinst
if [ ! -f /var/log/wtmp ]; then
    echo -n>/var/log/wtmp
  if [ ! -f /var/log/btmp ]; then
    echo -n>/var/log/btmp
  if [ ! -f /var/log/lastlog ]; then
    echo -n>/var/log/lastlog
  chown root:utmp /var/log/wtmp /var/log/btmp /var/log/lastlog
  chmod 664 /var/log/wtmp /var/log/lastlog
  chmod 660 /var/log/btmp

So in the base-files package post-install script you can see that wtmp, 
btmp, and lastlog are created with root:utmp ownership and wtmp and 
lastlog are set with 664 permissions and btmp with 660.

Theoretically, you should be able to run the base-files.postinst script 
again to have the log files set up since that's what would happen if you 
simply re-installed the base-files package. However, I cant' remember if 
I've ever had to do that, so I can't warn you if there's any gotchas with 
that method. I suppose just re-installing the packages that create log 
files is an option as well, though obviously it is more resource 
intensive.

$ sudo apt-get install --reinstall <list of packages names you grepped>

-- 
sktsee