Empty logs on /var/log/

yzT! · 03-13-2014, 04:17 AM

Implementing a SIEM I just noticed that one of our servers is not logging anything, and I don't know why. The logs seem to rotate but no one has data.

For instance:

Code:

-rw------- 1 root root        0 Mar  9 04:04 cron
-rw------- 1 root root        0 Mar  2 04:04 cron.1
-rw------- 1 root root        0 Feb 23 04:04 cron.2
-rw------- 1 root root   272947 Jul  8  2012 cron.4

-rw------- 1 root root        0 Mar  9 04:04 messages
-rw------- 1 root root        0 Mar  2 04:04 messages.1
-rw------- 1 root root        0 Feb 23 04:04 messages.2
-rw------- 1 root root   446484 Jul  8  2012 messages.4

-rw------- 1 root root        0 Mar  9 04:04 secure
-rw------- 1 root root        0 Mar  2 04:04 secure.1
-rw------- 1 root root        0 Feb 23 04:04 secure.2
-rw------- 1 root root   123532 Jul  8  2012 secure.4

TenTenths · 03-13-2014, 04:23 AM

Check syslogd / rsyslogd is running

yzT! · 03-13-2014, 04:28 AM

yes, that was the first thing I did...

TenTenths · 03-13-2014, 04:39 AM

Quote:

Originally Posted by yzT!

yes, that was the first thing I did...

Try posting what ELSE you've tried, we're not psychic.

yzT! · 03-13-2014, 05:00 AM

Anything else because I don't know where to look, but that one was obvious, wasn't it?

Content of logrotate.d/syslog-ng

Code:

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslog-ng.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Restarting syslog it works, but after a couple of days, again logs are empty

fotoguy · 03-15-2014, 02:03 AM

Are there any cron jobs running that may have a command that could periodically clear the log files. Are there other users that have access to the server that could be doing something they shouldn't? have you checked for rootkits? make a script that makes backups of your log files, say every hour, in another location, or can you send the logs to another server and archive them with dates and times in the filename for easier reference.

yzT! · 03-17-2014, 03:13 AM

Just Apache's logs are sent to another server, but those do not have any problem.

A coworker is telling me that maybe it was that the server ran out of space at some point. When that happens, should syslog be restarted? Doesn't it recover itself?

Might it be something related with logrotate? That after reaching the log 4 doesn't start over again?

EDIT: a question about the rotation of logs. When a log rotates, it keeps logging to the new file or to the old one?

For example, if my secure rotated today, events generated today should be logged into secure or into secure.1? I'm asking because I'm noticing that on the server that isn't working it's behaving like this, but on another server that works, it saves the old log to secure.1 and starts a new one on secure.