Mikkel L. Ellertson wrote:
One thing I forgot to put in the last message - the changes you make in /etc/syslog.conf will not take affect untill you restart syslog. Normaly, I would run "service syslog restart" to do this. But you may have to fix what ever is wrong in /etc/sysconfig/syslog first. Or you can try renameing it to syslog.sav, and then restart syslog. The syslog script will work just fine without the /etc/sysconfig/syslog file - it check for the file, and if it isn't there, it uses some good default values in place of it.
Mikkel
Mikkel, That did the trick! I had already restarted syslogd and even though it started there was an error code.
Renaming the /etc/sysconfig/syslog file did the trick. It restarted without errors and there's nothing happening on the monitor.
I'd love to know how the file got modified, but I may never find out. Thanks for sticking with me on this! Have you heard of this happening before?
There's nothing in the logs about it being modified and I'm the only one with access. My firewall logs have no record of anyone getting and modifying anything, and none of the firewall logs are missing.
If you have a default /etc/sysconfig/syslog file could you send it to me for comparison? I'd like to find the differences between the two files.
Thanks again for the help.
I am glad you have it working. Here is what my syslog file looks like:
# Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0"
# Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-2"
It set the same options as the default in /etc/rc.d/init.d/syslog. It is what most people need. The only time I have used other options is when I have logged messages from the firewall on a server.
I wish I knew how your got changed. It should not happen. This is not Windows where the regestry gets modified by everything! MCC will modify /etc/sysconfig/syslog, and I think you can use it to change /etc/syslog.conf, but you would remember changing things there. Besides, MCC should not have written an invalid /etc/sysconfig/syslog file.
If you installed an RPM that updated the files, then the "rpm -V" would not have shown them changed. When I have seen this kind of change, I suspect that:
Someone has getten into the box, and is trying to play a trick, or goofed up in hacking a box.
You were trying to do something else, and managed to change the wrong thing. (Kind of hard, as you need to be root.)
You managed to run a program or script as root that did something you were not expecting. This is usualy the result of installing from source, or installing a RPM from a bad source.
I would keep an eye on the box, and look for any other changes. You may also want to run "rpm -Va > /tmp/RPM_check.log" and look at the changed and missing files it finds. It will find changed files. There are alway files that get changed when you configure a system. But if there are files besides config files that have changed, then it is time to take a hard look at the logs!
Mikkel --
Do not meddle in the affairs of dragons, for you are crunchy and taste good with Ketchup!
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
