problems with syslogd

problems with syslogd

Valery Reznic valery_reznic at yahoo.com
Wed Jun 9 15:26:41 IDT 2010 

Connect to syslogd with strace:
strace -p syslogd_pid
And then "provoke" message that should go to /var/log/messages strace will show you what syslogd do.May be it will reveal cause of the problem.
Valery

--- On Wed, 6/9/10, Amit Aronovitch <aronovitch at gmail.com> wrote:

From: Amit Aronovitch <aronovitch at gmail.com>
Subject: problems with syslogd
To: "Linux-IL" <linux-il at cs.huji.ac.il>
Date: Wednesday, June 9, 2010, 3:14 PM

Hi,

Recently I stopped getting any messages in /var/log/messages (and probably some other files as well). Basic tests I could think of all check out OK (see below). Any ideas what I should check next?

Using sysklogd+klogd 1.5 on Debian (unstable).

1) /etc/syslogd.conf is debian's standard, seems to support /var/log/messages (as ever):
(some comment lines truncated)
------->
#
auth,authpriv.*            /var/log/auth.log

*.*;auth,authpriv.none        -/var/log/syslog
#cron.*                /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
lpr.*                -/var/log/lpr.log

mail.*                -/var/log/mail.log
user.*                -/var/log/user.log
#
mail.info            -/var/log/mail.info
mail.warn            -/var/log/mail.warn

mail.err            /var/log/mail.err
#
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice
#
*.=debug;\
    auth,authpriv.none;\

    news.none;mail.none    -/var/log/debug
*.=info;*.=notice;*.=warn;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none        -/var/log/messages
#
*.emerg                *
#
#daemon,mail.*;\

#    news.=crit;news.=err;news.=notice;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    /dev/tty8
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warn    |/dev/xconsole


<------

2) syslogd is running, and has some log files open (but not /var/log/messages and friends!)

~# ls -al /proc/`ps -C syslogd -o pid=`/fd
total 0
dr-x------ 2 root root  0 Jun  9 14:20 .

dr-xr-xr-x 7 root root  0 Jun  9 14:19 ..
lrwx------ 1 root root 64 Jun  9 14:20 0 -> socket:[1007451]
l-wx------ 1 root root 64 Jun  9 14:20 1 -> /var/log/auth.log
l-wx------ 1 root root 64 Jun  9 14:20 10 -> /var/log/mail.err

l-wx------ 1 root root 64 Jun  9 14:20 11 -> /var/log/news/news.crit
l-wx------ 1 root root 64 Jun  9 14:20 12 -> /var/log/news/news.err
l-wx------ 1 root root 64 Jun  9 14:20 13 -> /var/log/news/news.notice

l-wx------ 1 root root 64 Jun  9 14:20 2 -> /var/log/syslog
l-wx------ 1 root root 64 Jun  9 14:20 3 -> /var/log/daemon.log
l-wx------ 1 root root 64 Jun  9 14:20 4 -> /var/log/kern.log
l-wx------ 1 root root 64 Jun  9 14:20 5 -> /var/log/lpr.log

l-wx------ 1 root root 64 Jun  9 14:20 6 -> /var/log/mail.log
l-wx------ 1 root root 64 Jun  9 14:20 7 -> /var/log/user.log
l-wx------ 1 root root 64 Jun  9 14:20 8 -> /var/log/mail.info

l-wx------ 1 root root 64 Jun  9 14:20 9 -> /var/log/mail.warn


3) log files exist, and seem to have the same permissions as the working ones:
 
~$ ls -alt `cat /etc/syslog.conf | awk '(substr($1,1,1)!="#" && $2!="") {sub("-","",$2); if ($2 ~ /^\/var/) print $2}'`

-rw-r----- 1 root adm   8025 Jun  9 15:02 /var/log/syslog
-rw-r----- 1 root adm  87932 Jun  9 15:02 /var/log/auth.log
-rw-r----- 1 root adm 161406 Jun  9 14:19 /var/log/kern.log
-rw-r----- 1 root adm  62494 Jun  9 14:00 /var/log/daemon.log

-rw-r----- 1 root adm  23295 Jun  9 08:07 /var/log/user.log
-rw-r----- 1 root adm      0 Jun  3 08:19 /var/log/debug
-rw-r----- 1 root adm      0 Jun  3 08:19 /var/log/messages
-rw-r----- 1 root adm      0 Apr 18 06:57 /var/log/mail.info

-rw-r----- 1 root adm      0 Apr 18 06:57 /var/log/mail.log
-rw-r----- 1 root adm      0 Apr 18 06:57 /var/log/mail.err
-rw-r----- 1 root adm      0 Apr 18 06:57 /var/log/mail.warn
-rw-r----- 1 root adm      0 Nov 25  2007 /var/log/lpr.log

-rw-r----- 1 root adm      0 Feb 20  2005 /var/log/news/news.crit
-rw-r----- 1 root adm      0 Feb 20  2005 /var/log/news/news.err
-rw-r----- 1 root adm      0 Feb 20  2005 /var/log/news/news.notice

4) Removing and reinstalling the sysklogd package did not help.


5) Google found some similar problem reports, but they all turned out to be either filesize overflow (have plenty of place on the /var/ partition btw), or crashed daemon.

What next?

  thanks,
       AA




-----Inline Attachment Follows-----

_______________________________________________
Linux-il mailing list
Linux-il at cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20100609/74da1ce6/attachment.html>

More information about the Linux-il mailing list