Log Files deleted in /var/log

AC29 · 11-11-2012, 09:05 AM

Hello All,

I am still new to Linux world. I recently created a centos 6 cloud server. It's been up for 3 days. I noticed today in my /var/log, cat secure, my logs had been deleted from Nov 8- today. Is this normal? All I have done to this server is installed httpd, mysql-server, php, and prepped it to host my website. Any help is greatly appreciated.

-thanks
AC

acid_kewpie · 11-11-2012, 09:31 AM

sounds like you're not aware of log rotation. you should have /var/log/secure.1 (possibly with .gz on the end) for yesterday. .2 for friday, .3 for thursday etc.

unSpawn · 11-11-2012, 09:45 AM

Quote:

Originally Posted by AC29

Hello All,

I am still new to Linux world.

Welcome to LQ, hope you like it here.

Quote:

Originally Posted by AC29

I recently created a centos 6 cloud server. It's been up for 3 days. I noticed today in my /var/log, cat secure, my logs had been deleted from Nov 8- today. Is this normal?

Linux logs system, authorization and service information, like SSH for example, to several logs in /var/log using Rsyslog or an equivalent. Other services, like a running FTP or web server, usually take care of logging themselves. You should check if Rsyslog is running. Because logs grow over time regular maintenance is needed. This is done with 'logrotate' (see 'man logrotate'). Its main configuration file is /etc/logrotate.conf and any service that wants its logs rotated has an entry in /etc/logrotate.d/ files. Logrotate doesn't run on its own but from cron ('man cron'). The configuration file for system tasks run by the cron daemon is /etc/crontab. (Also see 'man anacron' and /etc/anacrontab.) If you expect a job to be run daily it could be listed there or in /etc/cron.daily (or /etc/cron.d/). If a job runs on a weekly basis you'll find it in /etc/cron.weekly, /etc/crontab or /etc/cron.d/. To see if logrotate was run you could check /var/log/cron, see /var/lib/logrotate.status or the result of running as a file like "/ var/log/messages" will be created with the old contents in "/var/log/messages.1.gz" (or "/var/log/messages-YYYY-MM-DD" on fscked-up wrongly configured by default like modern Fedora).

If /var/log/messages does not exist and wasn't rotated then check if Rsyslog is running. As root:

Code:

pgrep -lf rsyslog

The first number is the process Id or PID. As example we'll use the int "12345". The PID you will then use to see if the process still has files open:[code]/usr/sbin/lsof -Pwlnp 12345 +D/var/log[code]Post the output here if unsure.

Quote:

Originally Posted by AC29

All I have done to this server is installed httpd, mysql-server, php, and prepped it to host my website.

Unfortunately that is not enough. You have to ensure that nothing untoward happens to your server by hardening and regular auditing.