Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-29-2005, 11:50 AM
|
#1
|
LQ Newbie
Registered: Jul 2005
Posts: 4
Rep:
|
console login hangs RHEL 3
Been using linux for years and came up on a new problem I have never encountered.
Please read carefully before jumping to conclusions.
OS: RHEL WS 3
System: HP Server Hyperthreading
Have had a system in place for about 6 months continuous uptime and no issues.
Issue: Can no longer use console to login nor use ssh into system (telnet disabled).
Symptoms:
ssh: ssh_exchange_identification: Connection closed by remote host
console: Type in any user name and password. Press enter, tty hangs forever.
Have not rebooted system yet, due to production system. Looking for advice of what to look for, here is what I was going to try tonight after reboot and hopefully login.
1. check for /etc/nologin.
2. check /etc/securetty (see if corrupt file)
3. rpm -Vf /etc/pam.d (don't feel this is going to help much)
4. rpm -Vf /etc/security (don't feel this is going to help much either)
5. rpm -V initscripts
6. check /etc/shadow and /etc/passwd for corrupt entries
7. rpm -Vf /bin/login
8. rpm -Vf /sbin/mingetty
If I can not login, will boot to cdrom with the install disk and mount the filesystems and perform the checks.
Any other ideas anyone may have???? Ideas or instances where this has happened to someone else?
Thanks,
Darren
|
|
|
07-30-2005, 04:11 AM
|
#2
|
LQ Newbie
Registered: Jul 2005
Posts: 4
Original Poster
Rep:
|
All,
Found the problem after reboot.
Issue: /var had filled up. Therefore, neither lastlog nor wtmp could be written to.
Affecting program: auditd
Description: /var/log/audit.d directory was housing about (40) 20 megabyte files, filling up the /var filesystem preventing logging in. Apparently, the specific version with RHEL 3 update 4 does not clean up the files, but leaves them there. This is either a bug/configuration issue with auditd. Currently, just turned it off.
Hopes this helps others out there that may run across this same problem.
Darren
|
|
|
08-16-2005, 02:59 PM
|
#3
|
LQ Newbie
Registered: Aug 2005
Posts: 2
Rep:
|
Thanks for your post; it helped a lot.
This was driving me crazy...I had noticed that /var seemed a little large but didn't think the problem could be there, but your post makes complete sense.
So besides turning auditd off what other solutions are you thinking of?
Cole
|
|
|
08-24-2005, 12:25 AM
|
#4
|
LQ Newbie
Registered: Jul 2005
Posts: 4
Original Poster
Rep:
|
Glad this helped someone else. The fix for this is to have rotating logs.
I believe I saw a post that is is marked as a bug by Red Hat.
The /etc/audit/auditd.conf
# Standard output method is bin mode.
#
output {
mode = bin;
num-files = 4;
file-size = 20M;
file-name = "/var/log/audit.d/bin";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C";
# The following symlink is created whenever we switch to
# a new bin.
current = "/var/log/audit";
sync = no;
# uncomment these to cause audit records to be
# flushed to the disk after sync-after records
# are written to the log
# sync = yes;
# sync-after = 16;
error {
action {
type = suspend;
};
};
};
Notice, that the num-files is supposed to be only 4. This says to me it is a
bug. Hopefully, they have fixed this in an update from Red Hat.
Due to that we don't need these logs, since it is an internal computer, it was
not needed.
To fix the script, something like the following could be implemented in cron:
Put in a shell script to run from cron something similar.
I don't remember the exact layout of the filename. I remember
seeing one that was bin.1, so assuming the .1 is the day.
SEVEN_DAYS_OLD=`/usr/locale/ebin/date '+%d' --date '3 days ago'`
rm /var/log/audit/bin.${SEVEN_DAYS_OLD}
rm /var/log/audit/bin/<other_files>.${SEVEN_DAYS_OLD}
Of course, this does no checking, should have something similar to:
if [ -f /var/log/audit/bin/bin.${SEVEN_DAYS_OLD} ]
then
rm /var/log/audit/bin.${SEVEN_DAYS_OLD}
fi
So, if you need the audit logs, hopefully, the above helps if Red Hat and others
have not fixed the problem yet.
Darren
|
|
|
08-24-2005, 12:27 AM
|
#5
|
LQ Newbie
Registered: Jul 2005
Posts: 4
Original Poster
Rep:
|
How about a few corrections to that post.
The shell script should read:
SEVEN_DAYS_OLD=`/usr/locale/ebin/date '+%d' --date '7 days ago'`
if [ -f /var/log/audit/bin/bin.${SEVEN_DAYS_OLD} ]
then
rm /var/log/audit/bin.${SEVEN_DAYS_OLD}
fi
|
|
|
08-24-2005, 06:52 PM
|
#6
|
LQ Newbie
Registered: Aug 2005
Posts: 2
Rep:
|
Thanks again, Darren
|
|
|
08-31-2005, 06:41 AM
|
#7
|
LQ Newbie
Registered: Aug 2005
Distribution: RHEL/Debian
Posts: 4
Rep:
|
I've just encountered this problem as well (on RHEL3), & there's another possible solution:
Edit audit.conf as follows:
output {
mode = bin;
num-files = 4;
file-size = 20M;
file-name = "/var/log/audit.d/bin";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N 'rm -f %f'";
[etc...]
}
The notify line as above should (according to the docs) remove old 'save' files when the filesystem comes within 20% of full (change the figure after -T to specify how close to full you want to start deleting old files).
This should be of help if audit is filling up the log directory with 'save' files rather than 'bin' files - which is what was happening with me. As I understand it, the num-files option here refers to the number of 'bin' files that are in use. The 'notify' option states what should be done when a new 'bin' file is started (in the above config, when the previous one gets to 20MB). The config above will copy the old 'bin' file to a new file 'save.%u' (audbin uses %u to generate a number to make the filename unique), clear the file (-C flag), & then look to see if the filesystem threshold is reached (-T flag, within 20% of full here); if it is, then it runs the -N command (%f refers here to oldest file). The audbin man page is helpful.
Before making this change, the default was for the notify command simply to suspend the audit daemon, which caused the machine to hang as described at the top of this thread.
Hope that's helpful for anyone else encountering this problem! And thanks to Darren for the initial pointer.
Juliet
|
|
|
06-11-2007, 04:43 PM
|
#8
|
LQ Newbie
Registered: Jun 2007
Posts: 1
Rep:
|
this worked for me
Thanks for posting this. I always forget about that sad little /var directory silently doing its job, and silently puking when full.. Booted with knoppix, deleted some files and I'm back in business.
|
|
|
All times are GMT -5. The time now is 07:22 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|