/var/log
 

I find that within the /var/log folder it periodically creates the following files ksyms.0, ksyms.1, ksyms.2, etc. What are these files?

I also noticed going through my messages file that /var/log/wtmp changed mode from 664 to 600? Why is this so?

well, the .0 or .1 files are old logs that are rotated. All your log files should be 600 for security reasons.

Archite,

Thank you however what is the difference between syslog, messages and ksyms.0, etc? They can't be logging the same events.

Logfiles are somewhat distro specific I've found ... you should check your /etc/syslog.conf to see exactly what's being logged where. On many distros, messages logs everything except user authentication logging, which is handled by secure. I think ksyms may have something to do with the kernel, but I'm not totally sure. Most distros don't use syslog (Slackware being the one exception I can think of). In any case, you can view your logging setup in the aforementioned /etc/syslog.conf and change it if you don't like the way things are set up.

btmiller,

I don't mind the way things are setup but it helps to know what each file does before I blindly change any settings. I am aware logging differs from distribution to distribution however would you be able to advice what is common between most distributions?

The one thing that is basically the same in all is that log files are in /var/log. Anything else can be fair game.

Thank you all for your help

sorry. I wish that I could help you more. Send a few lines of output from that log file in question and maybe we can figure out what it is.

Archite,

Thanks, I did to a degree find out what each file does. I just went through them comparing one another although it remains vague to me which "software" writes to messages, secure, user.log, kysms.0[etc]. Would you have any idea?

Read the man page for ksyms.

stickman,

Thanks for the point of reference. Would you however know which "software" creates those logs? I'm guessing at this stage syslogd.

Look in rc.sysinit.

stickman,

what do I look for within the rc.sysinit file?

I think the obvious thing would be ksyms...

stickman,

Of course but saying that syslogd nor /etc/syslog.conf have any reference to ksyms.0, etc. Also the man pages on ksyms seems very arbitrary (to me at least since I'm relatively new to the world of Linux)

The ksyms logfiles are not created by syslog, but by rc.sysinit as I suggested. Not all files in /var/log are created by syslog. It's a generic log location. If you look in rc.sysinit for ksyms, you'll see where the logfiles are rotated with a simple while loop and the new one is created. Also, what do you consider to be arbitrary about the ksyms manpage? It appears to work as advertised.

stickman,

I though the rc.sysinit would start the software that logs ksyms.0, etc. As for my comment on it being arbitrary, I think I should have used the word vague. In a gist, it only seems to come across to me as kernel messaging and if so for what reason?

There is no software behind ksyms other than the kernel (ie module insertion and removal). The logfiles are created with a simple cat command.

stickman,

Thanks. How does ksyms help with security and why log it?

ksyms basically tells you what kernel symbols exists and where they are. Typically this should be static from day to day unless you are making adjustments to your kernel or the modules that get loaded. You might want to start looking at your system if you suddenly have new symbols.

stickman,

Thank you.