LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-11-2012, 09:05 AM   #1
AC29
LQ Newbie
 
Registered: Nov 2012
Posts: 1

Rep: Reputation: Disabled
Log Files deleted in /var/log


Hello All,

I am still new to Linux world. I recently created a centos 6 cloud server. It's been up for 3 days. I noticed today in my /var/log, cat secure, my logs had been deleted from Nov 8- today. Is this normal? All I have done to this server is installed httpd, mysql-server, php, and prepped it to host my website. Any help is greatly appreciated.

-thanks
AC
 
Old 11-11-2012, 09:31 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
sounds like you're not aware of log rotation. you should have /var/log/secure.1 (possibly with .gz on the end) for yesterday. .2 for friday, .3 for thursday etc.
 
Old 11-11-2012, 09:45 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,998
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by AC29 View Post
Hello All,

I am still new to Linux world.
Welcome to LQ, hope you like it here.


Quote:
Originally Posted by AC29 View Post
I recently created a centos 6 cloud server. It's been up for 3 days. I noticed today in my /var/log, cat secure, my logs had been deleted from Nov 8- today. Is this normal?
Linux logs system, authorization and service information, like SSH for example, to several logs in /var/log using Rsyslog or an equivalent. Other services, like a running FTP or web server, usually take care of logging themselves. You should check if Rsyslog is running. Because logs grow over time regular maintenance is needed. This is done with 'logrotate' (see 'man logrotate'). Its main configuration file is /etc/logrotate.conf and any service that wants its logs rotated has an entry in /etc/logrotate.d/ files. Logrotate doesn't run on its own but from cron ('man cron'). The configuration file for system tasks run by the cron daemon is /etc/crontab. (Also see 'man anacron' and /etc/anacrontab.) If you expect a job to be run daily it could be listed there or in /etc/cron.daily (or /etc/cron.d/). If a job runs on a weekly basis you'll find it in /etc/cron.weekly, /etc/crontab or /etc/cron.d/. To see if logrotate was run you could check /var/log/cron, see /var/lib/logrotate.status or the result of running as a file like "/ var/log/messages" will be created with the old contents in "/var/log/messages.1.gz" (or "/var/log/messages-YYYY-MM-DD" on fscked-up wrongly configured by default like modern Fedora).

If /var/log/messages does not exist and wasn't rotated then check if Rsyslog is running. As root:
Code:
pgrep -lf rsyslog
The first number is the process Id or PID. As example we'll use the int "12345". The PID you will then use to see if the process still has files open:[code]/usr/sbin/lsof -Pwlnp 12345 +D/var/log[code]Post the output here if unsure.


Quote:
Originally Posted by AC29 View Post
All I have done to this server is installed httpd, mysql-server, php, and prepped it to host my website.
Unfortunately that is not enough. You have to ensure that nothing untoward happens to your server by hardening and regular auditing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Deleted /var/log directory. .!!! varunb Linux - Newbie 5 03-02-2012 03:59 AM
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 04:13 PM
/var/log files deleted causing no GUI display for administration teacmalaysia Linux - Software 6 06-05-2006 10:33 AM
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 04:03 PM
Accidentally Deleted Everything In /var/log Joe Heng Slackware 3 12-23-2004 07:20 PM


All times are GMT -5. The time now is 01:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration