Re: [newbie] Syslogd
Mikkel L. Ellertson wrote: Mr. Geek wrote: Mikkel L. Ellertson wrote: One thing I forgot to put in the last message - the changes you make in /etc/syslog.conf will not take affect untill you restart syslog. Normaly, I would run "service syslog restart" to do this. But you may have to fix what ever is wrong in /etc/sysconfig/syslog first. Or you can try renameing it to syslog.sav, and then restart syslog. The syslog script will work just fine without the /etc/sysconfig/syslog file - it check for the file, and if it isn't there, it uses some good default values in place of it. Mikkel Mikkel, That did the trick! I had already restarted syslogd and even though it started there was an error code. Renaming the /etc/sysconfig/syslog file did the trick. It restarted without errors and there's nothing happening on the monitor. I'd love to know how the file got modified, but I may never find out. Thanks for sticking with me on this! Have you heard of this happening before? There's nothing in the logs about it being modified and I'm the only one with access. My firewall logs have no record of anyone getting and modifying anything, and none of the firewall logs are missing. If you have a default /etc/sysconfig/syslog file could you send it to me for comparison? I'd like to find the differences between the two files. Thanks again for the help. I am glad you have it working. Here is what my syslog file looks like: # Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and #once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-2" It set the same options as the default in /etc/rc.d/init.d/syslog. It is what most people need. The only time I have used other options is when I have logged messages from the firewall on a server. I wish I knew how your got changed. It should not happen. This is not Windows where the regestry gets modified by everything! MCC will modify /etc/sysconfig/syslog, and I think you can use it to change /etc/syslog.conf, but you would remember changing things there. Besides, MCC should not have written an invalid /etc/sysconfig/syslog file. If you installed an RPM that updated the files, then the "rpm -V" would not have shown them changed. When I have seen this kind of change, I suspect that: Someone has getten into the box, and is trying to play a trick, or goofed up in hacking a box. You were trying to do something else, and managed to change the wrong thing. (Kind of hard, as you need to be root.) You managed to run a program or script as root that did something you were not expecting. This is usualy the result of installing from source, or installing a RPM from a bad source. I would keep an eye on the box, and look for any other changes. You may also want to run "rpm -Va > /tmp/RPM_check.log" and look at the changed and missing files it finds. It will find changed files. There are alway files that get changed when you configure a system. But if there are files besides config files that have changed, then it is time to take a hard look at the logs! Mikkel Thanks for the info, help and suggestions. I'll look into it tomorrow and get back to you if I find anything interesting. -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mr. Geek wrote: Mikkel L. Ellertson wrote: One thing I forgot to put in the last message - the changes you make in /etc/syslog.conf will not take affect untill you restart syslog. Normaly, I would run "service syslog restart" to do this. But you may have to fix what ever is wrong in /etc/sysconfig/syslog first. Or you can try renameing it to syslog.sav, and then restart syslog. The syslog script will work just fine without the /etc/sysconfig/syslog file - it check for the file, and if it isn't there, it uses some good default values in place of it. Mikkel Mikkel, That did the trick! I had already restarted syslogd and even though it started there was an error code. Renaming the /etc/sysconfig/syslog file did the trick. It restarted without errors and there's nothing happening on the monitor. I'd love to know how the file got modified, but I may never find out. Thanks for sticking with me on this! Have you heard of this happening before? There's nothing in the logs about it being modified and I'm the only one with access. My firewall logs have no record of anyone getting and modifying anything, and none of the firewall logs are missing. If you have a default /etc/sysconfig/syslog file could you send it to me for comparison? I'd like to find the differences between the two files. Thanks again for the help. I am glad you have it working. Here is what my syslog file looks like: # Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and #once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-2" It set the same options as the default in /etc/rc.d/init.d/syslog. It is what most people need. The only time I have used other options is when I have logged messages from the firewall on a server. I wish I knew how your got changed. It should not happen. This is not Windows where the regestry gets modified by everything! MCC will modify /etc/sysconfig/syslog, and I think you can use it to change /etc/syslog.conf, but you would remember changing things there. Besides, MCC should not have written an invalid /etc/sysconfig/syslog file. If you installed an RPM that updated the files, then the "rpm -V" would not have shown them changed. When I have seen this kind of change, I suspect that: Someone has getten into the box, and is trying to play a trick, or goofed up in hacking a box. You were trying to do something else, and managed to change the wrong thing. (Kind of hard, as you need to be root.) You managed to run a program or script as root that did something you were not expecting. This is usualy the result of installing from source, or installing a RPM from a bad source. I would keep an eye on the box, and look for any other changes. You may also want to run "rpm -Va > /tmp/RPM_check.log" and look at the changed and missing files it finds. It will find changed files. There are alway files that get changed when you configure a system. But if there are files besides config files that have changed, then it is time to take a hard look at the logs! Mikkel -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with Ketchup! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mikkel L. Ellertson wrote: One thing I forgot to put in the last message - the changes you make in /etc/syslog.conf will not take affect untill you restart syslog. Normaly, I would run "service syslog restart" to do this. But you may have to fix what ever is wrong in /etc/sysconfig/syslog first. Or you can try renameing it to syslog.sav, and then restart syslog. The syslog script will work just fine without the /etc/sysconfig/syslog file - it check for the file, and if it isn't there, it uses some good default values in place of it. Mikkel Mikkel, That did the trick! I had already restarted syslogd and even though it started there was an error code. Renaming the /etc/sysconfig/syslog file did the trick. It restarted without errors and there's nothing happening on the monitor. I'd love to know how the file got modified, but I may never find out. Thanks for sticking with me on this! Have you heard of this happening before? There's nothing in the logs about it being modified and I'm the only one with access. My firewall logs have no record of anyone getting and modifying anything, and none of the firewall logs are missing. If you have a default /etc/sysconfig/syslog file could you send it to me for comparison? I'd like to find the differences between the two files. Thanks again for the help. -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mr. Geek wrote: Mikkel L. Ellertson wrote: You should not be getting the error. You may want to run "rpm -V syslogd" and see what errors it reports. You may also want to run a package like chkrootkit to make sure your box wasn't "hacked". A look at the log files is also in order. The /etc/syslog.conf file got changed, and maybe the /etc/rc.d/init.d/syslog file as well. Mikkel Mikkel, Thanks again for your suggestions. These are the results from your suggestion; rpm -V sysklogd .M.T c /etc/rc.d/init.d/syslog S.5T c /etc/sysconfig/syslog S.5T c /etc/syslog.conf Of course, there's no information in the help file to tell me what this means, but maybe someone else can decipher it for me. chkrootkit came back without any errors at all. The log files didn't show anything about possible hacks to the files either. Guess I'l keep looking for a reason for this behaviour. I changed the debug setting to emerg in syslog.conf, but I'm still getting an error. At least it's a different error number. From "man rpm" S file Size differs M Mode differs (includes permissions and file type) 5 MD5 sum differs D Device major/minor number mismatch L readLink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs I expected the differences in /etc/syslog.conf, but it may be worth taking a look at /etc/sysconfig/syslog. Because /etc/rc.d/init.d/syslog reads the contents of that file, that may be what is generating the error there. The file looks like it should. One things I forgot to put in the last message - the changes you make in /etc/syslog.conf will not take affect untill you restart syslog. Normaly, I would run "service syslog restart" to do this. But you may have to fix what ever is wrong in /etc/sysconfig/syslog first. Or you can try renameing it to syslog.sav, and then restart syslog. The syslog script will work just fine without the /etc/sysconfig/syslog file - it check for the file, and if it isn't there, it uses some good default values in place of it. Mikkel -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with Ketchup! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mikkel L. Ellertson wrote: You should not be getting the error. You may want to run "rpm -V syslogd" and see what errors it reports. You may also want to run a package like chkrootkit to make sure your box wasn't "hacked". A look at the log files is also in order. The /etc/syslog.conf file got changed, and maybe the /etc/rc.d/init.d/syslog file as well. Mikkel Mikkel, Thanks again for your suggestions. These are the results from your suggestion; rpm -V sysklogd .M.T c /etc/rc.d/init.d/syslog S.5T c /etc/sysconfig/syslog S.5T c /etc/syslog.conf Of course, there's no information in the help file to tell me what this means, but maybe someone else can decipher it for me. chkrootkit came back without any errors at all. The log files didn't show anything about possible hacks to the files either. Guess I'l keep looking for a reason for this behaviour. I changed the debug setting to emerg in syslog.conf, but I'm still getting an error. At least it's a different error number. -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mr. Geek wrote: Mikkel L. Ellertson wrote: It actualy sounds like the daemons are not running. As root, run "service syslog status" and make sure both syslogd and klogd are running. If they both report that they are running, then chack /etc/syslog.conf - there should be only one entry that uses *, tty, tty0, or console for the output file. (*.emerg *) Mikkel Yo, Mikkel; Thanks for the suggestions. Syslogd is definitely running; service syslog status syslogd (pid 7208) is running... klogd (pid 7217) is running... The only thing I saw that looked a bit strange was that debug messages were set to be delivered to everyone (?), if that makes any sense. # Everybody gets emergency messages *.debug* This is why you are getting so many messages. This should be *.emerg, not *.debug! You only wnat messages with pirority of emerg to show up on the console. You definitly do not want all the debugging messages sent there. > That seems to be the sole exception which MIGHT send log events to the console, but since there aren't any emergencies,. In fact, it seems that most of the log messages going to the monitor have to do with my email server, and my PPPOE client, but instead of being emergencies, the monitor is getting every single event, such as users connecting successfully and retreiving their emails, or PPPOE re-establishing a connection - including every step of the connection process. It's almost as if a monitoring program was sending every single server activity to the screen. But it's reporting the events as coming from syslogd. Now here's something interesting though. When I did a restart of syslogd, service syslog restart , I got the following,... Shutting down kernel logger:[ OK ] Shutting down system logger:[ OK ] Starting system logger: /etc/init.d/syslog: line 100: 7885 Terminated $* [FAILED] Starting kernel logger: [ OK ] So, I checked /etc/init.d/syslog and looked at line 100 which only states; esac That's it. For some reason, that line is generating an error. Even so, syslog successfully restarts; service syslog status syslogd (pid 7886) is running... klogd (pid 7894) is running... If I have some sort of error on line 100, and this is a default config file, then everyone should be having the same thing in their syslog init scripts, right? But they're not or there's be a lot of talk about it on the list. See why this is getting on my nerves? G! You should not be getting the error. You may want to run "rpm -V syslogd" and see what errors it reports. You may also want to run a package like chkrootkit to make sure your box wasn't "hacked". A look at the log files is also in order. The /etc/syslog.conf file got changed, and maybe the /etc/rc.d/init.d/syslog file as well. Mikkel -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with Ketchup! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mikkel L. Ellertson wrote: It actualy sounds like the daemons are not running. As root, run "service syslog status" and make sure both syslogd and klogd are running. If they both report that they are running, then chack /etc/syslog.conf - there should be only one entry that uses *, tty, tty0, or console for the output file. (*.emerg *) Mikkel Yo, Mikkel; Thanks for the suggestions. Syslogd is definitely running; service syslog status syslogd (pid 7208) is running... klogd (pid 7217) is running... The only thing I saw that looked a bit strange was that debug messages were set to be delivered to everyone (?), if that makes any sense. # Everybody gets emergency messages *.debug * That seems to be the sole exception which MIGHT send log events to the console, but since there aren't any emergencies,. In fact, it seems that most of the log messages going to the monitor have to do with my email server, and my PPPOE client, but instead of being emergencies, the monitor is getting every single event, such as users connecting successfully and retreiving their emails, or PPPOE re-establishing a connection - including every step of the connection process. It's almost as if a monitoring program was sending every single server activity to the screen. But it's reporting the events as coming from syslogd. Now here's something interesting though. When I did a restart of syslogd, service syslog restart , I got the following,... Shutting down kernel logger:[ OK ] Shutting down system logger:[ OK ] Starting system logger: /etc/init.d/syslog: line 100: 7885 Terminated $* [FAILED] Starting kernel logger: [ OK ] So, I checked /etc/init.d/syslog and looked at line 100 which only states; esac That's it. For some reason, that line is generating an error. Even so, syslog successfully restarts; service syslog status syslogd (pid 7886) is running... klogd (pid 7894) is running... If I have some sort of error on line 100, and this is a default config file, then everyone should be having the same thing in their syslog init scripts, right? But they're not or there's be a lot of talk about it on the list. See why this is getting on my nerves? G! -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Mr. Geek wrote: Once again, I'm back with a seemingly odd situation. Running my server on Mandrake 10.1. Syslogd has been showing a non-stop list of log entries on my server's monitor. The server is starting in console mode (X, XFS and DM are not set to start on bootup, but can be started manually), and it starts displaying syslogd and klogd entries or data. I thought that syslogd was supposed to store it's entries in a log file(s), not on the console. Can someone explain what's happening? I've never seen this before and I don't want to have to shut down the syslog & klogd daemons. It actualy sounds like the daemons are not running. As root, run "service syslog status" and make sure both syslogd and klogd are running. If they both report that they are running, then chack /etc/syslog.conf - there should be only one entry that uses *, tty, tty0, or console for the output file. (*.emerg *) Mikkel -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with Ketchup! Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Steve Jeppesen wrote: On Sat, 12 Mar 2005 06:50:12 -0500 "Mr. Geek" <[EMAIL PROTECTED]> wrote: How do I prevent syslogd from showing events on the screen? Is it not normal to simply pass these events to the correct log file in /var/log ? question, can you confirm that any of the messages being displayed on the monitor *are also being logged* in /var/log/syslog ? I also had this problem on our server after playing around with vlan - although I couldn't put my finger on it that vlan or possibly vclient IRC could have even had anything to do with it. Logged myself (the only user) off, and noticed the messages kept coming. Seemed to only be firewall hit messages were showing up on the screen though. My M$ infliction - which doesn't seem to go away since I have to work with it everyday - kicked in about now and my uncontrollable urge to reboot overtook me. ;( the messages went away after that and I never bothered going back to figure it out. Yes, they are being logged as well. I suspect that there is either a problem with the default config (a.k.a. bug?), or that some other program is causing this. But other than the kernel, logrotate, and crond what else could be doing this? Hmmm. The plot thickens! -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
On Sat, 12 Mar 2005 06:50:12 -0500 "Mr. Geek" <[EMAIL PROTECTED]> wrote: > How do I prevent syslogd from showing events on the screen? Is it not > normal to simply pass these events to the correct log file in /var/log > ? question, can you confirm that any of the messages being displayed on the monitor *are also being logged* in /var/log/syslog ? I also had this problem on our server after playing around with vlan - although I couldn't put my finger on it that vlan or possibly vclient IRC could have even had anything to do with it. Logged myself (the only user) off, and noticed the messages kept coming. Seemed to only be firewall hit messages were showing up on the screen though. My M$ infliction - which doesn't seem to go away since I have to work with it everyday - kicked in about now and my uncontrollable urge to reboot overtook me. ;( the messages went away after that and I never bothered going back to figure it out. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
Aron Smith wrote: On Saturday 12 March 2005 01:12 am, Mr. Geek wrote: Once again, I'm back with a seemingly odd situation. Running my server on Mandrake 10.1. Syslogd has been showing a non-stop list of log entries on my server's monitor. The server is starting in console mode (X, XFS and DM are not set to start on bootup, but can be started manually), and it starts displaying syslogd and klogd entries or data. I thought that syslogd was supposed to store it's entries in a log file(s), bot on the console. Can someone explain what's happening? I've never seen this before and I don't want to have to shut down the syslog & klogd daemons. Just a wild guess ..but are you running logrotate IIRC you should be from what I have read on these lists Aron; I just did a quick read on the functions included in logrotate (which is installed and called by crond whenever necessary). It doesn't seem capable of displaying system events on the screen. So, if that's correct, I'm back at my original question. How do I prevent syslogd from showing events on the screen? Is it not normal to simply pass these events to the correct log file in /var/log ? My understanding is that syslogd/klogd would only output messages to the screen/console/monitor when it was either in debugging mode or if it had been specifically configured to do it. Since this is a relatively fresh install of Mandrake 10.1, nothing's been done to modify syslogd/klogd at all. It is currently a default install of syslogd/klogd. It seems to be displaying every single log entry on the console as they're being generated, instead of urgent messages or debug info which would only be occasional if at all. This also seems to happen even if no one is logged onto the server locally, and also happens when I 'ssh' into the server remotely. The log info/data immediately starts to show up on the remote terminal. Since it's a default install (ie; no one's modified syslogd/klogd daemons at all), why would this be happening? If it happens here, wouldn't it be happening for everyone running Mandrake 10.1 Official on a server where syslogd/klogd are default installs and activated on boot? Other suggestions? -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] Syslogd
On Saturday 12 March 2005 01:12 am, Mr. Geek wrote: > Once again, I'm back with a seemingly odd situation. Running my server > on Mandrake 10.1. > > Syslogd has been showing a non-stop list of log entries on my server's > monitor. The server is starting in console mode (X, XFS and DM are not > set to start on bootup, but can be started manually), and it starts > displaying syslogd and klogd entries or data. > > I thought that syslogd was supposed to store it's entries in a log > file(s), bot on the console. Can someone explain what's happening? I've > never seen this before and I don't want to have to shut down the syslog > & klogd daemons. Just a wild guess ..but are you running logrotate IIRC you should be from what I have read on these lists Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
[newbie] Syslogd
Once again, I'm back with a seemingly odd situation. Running my server on Mandrake 10.1. Syslogd has been showing a non-stop list of log entries on my server's monitor. The server is starting in console mode (X, XFS and DM are not set to start on bootup, but can be started manually), and it starts displaying syslogd and klogd entries or data. I thought that syslogd was supposed to store it's entries in a log file(s), bot on the console. Can someone explain what's happening? I've never seen this before and I don't want to have to shut down the syslog & klogd daemons. -- Mr. Geek Registered Linux User #190712 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com
Re: [newbie] syslogd
On Fri, 13 Dec 2002 10:07, Stephen Kuhn wrote: > On Fri, 2002-12-13 at 07:28, George Baker wrote: > > Last night a process called "syslogd -m" started and my hard drive went > > mad for over 7 hours until I killed the process. What is it doing and how > > often - will it always carry on for so long or was it just a once off due > > to me moving MDK to a new drive?? > > > > Please advise > > > > George > > That almost sounds as though a syslog ain't been run on yer system > before - ya oughta let it run once - at least... Open a terminal window and type "man syslogd". You need it. I suspect it was 4 in the morning when it started churning away? -- Michael Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] syslogd
On Fri, 2002-12-13 at 07:28, George Baker wrote: > Last night a process called "syslogd -m" started and my hard drive went mad > for over 7 hours until I killed the process. What is it doing and how > often - will it always carry on for so long or was it just a once off due to > me moving MDK to a new drive?? > > Please advise > > George That almost sounds as though a syslog ain't been run on yer system before - ya oughta let it run once - at least... -- Fri Dec 13 08:05:00 EST 2002 8:05am up 2 days, 27 min, 5 users, load average: 0.96, 0.37, 0.24 .o0 linux user:267497 0o. |____ | kühn media australia | / \ /| |'-. | http://kma.0catch.com | .\__/ || | | | | _ / `._ \|_|_.-' | stephen kühn | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | |/ ._/ |"| | email: [EMAIL PROTECTED] | |'. `\ | | |icq: 5483808 | ;"""/ / | | | | smk ) /_/| |.---.| | mobile: 0410-728-389 | ' `-`' " " | Berkeley, New South Wales, AU Coralament*Best Grötens*Liebe Grüße*Best Regards*Elkorajn Salutojn Talk sense to a fool and he calls you foolish. -- Euripides Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] syslogd
Last night a process called "syslogd -m" started and my hard drive went mad for over 7 hours until I killed the process. What is it doing and how often - will it always carry on for so long or was it just a once off due to me moving MDK to a new drive?? Please advise George Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com