Syslog stays empty

Etraman · 04-15-2005, 04:20 AM

Hello,

A few days ago i needed to look at the syslogs (Slack 10) and i found that /var/log/syslog is empty. The syslogd is running and all other logs are updated but not syslog.

I tried removing the /var/log/syslog* files and restart the syslogd but all that happens is a new /var/log/syslog is created but it stays empty.

Now, i could use some help here but i don't really now what info i need to give. Please advise.

thnx in advance.

slackie1000 · 04-15-2005, 05:47 AM

hi there,

how your /etc/syslog.conf file looks like?

regards
slackie1000

gbonvehi · 04-15-2005, 05:53 AM

Do you have /etc/rc.d/rc.syslog as executable? Check if klogd is running which is the daemon that sends messages to syslogd about kernel stuff.

Etraman · 04-15-2005, 07:02 AM

Quote:

Originally posted by slackie1000
hi there,

how your /etc/syslog.conf file looks like?

Here it is, looks ok to me:

Code:

# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux.  Note the '-' prefixing some
# of these entries;  this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.

# Uncomment this to see kernel messages on the console.
#kern.*							/dev/console

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.info;*.!warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/syslog

# Debugging information is logged here.
*.=debug						-/var/log/debug

# Private authentication message logging:
authpriv.*						-/var/log/secure

# Cron related logs:
cron.*							-/var/log/cron

# Mail related logs:
mail.*							-/var/log/maillog

# Emergency level messages go to all users:
*.emerg							*

# This log is for news and uucp errors:
uucp,news.crit						-/var/log/spooler

# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit					-/var/log/news/news.crit
#news.=err					-/var/log/news/news.err
#news.notice					-/var/log/news/news.notice

Quote:

Originally posted by gbonvehi
Do you have /etc/rc.d/rc.syslog as executable? Check if klogd is running which is the daemon that sends messages to syslogd about kernel stuff.

/etc/rc.d/rc.syslog is executable:

Code:

# ls -o rc.syslog
-rwxr-xr-x  1 root 860 2004-05-03 00:07 rc.syslog*

Both syslogd and klogd are running:

Code:

# ps -e|grep logd
25034 ?        00:00:00 syslogd
25049 ?        00:00:00 klogd

*thnx for the replies, much appreciated!

slackie1000 · 04-15-2005, 07:17 AM

hi there,

sorry mate. this is weird. no idea what is going on.
the only thing that i would say is that you could try to restart the services:
klogd and syslogd.
if it does not work....

regards

slackie1000

Etraman · 04-15-2005, 11:08 AM

Both syslogd and klogd have been restarted but still no syslog...

Etraman · 04-18-2005, 05:34 PM

I checked the system for rootkits with rootkithunter and it seems the system has not been compomised either..

I really haven't got any clue of why this is happening. Please, if any one reads this, consider it an S.O.S.

thnx.

egag · 04-18-2005, 06:13 PM

are those syslog & messages -files writeable and owned by root ?

egag

Etraman · 04-18-2005, 07:15 PM

Quote:

Originally posted by egag
are those syslog & messages -files writeable and owned by root ?

egag

Seems so:

# ls -o /var/log/syslog
-rw-r--r-- 1 root 0 2005-04-17 04:40 /var/log/syslog

When i delete this file and restart syslogd it gets created again, but nothing is written to it.

My /var/log/cron and /var/log/spooler are empty too. All other log files seem OK.

vdemuth · 04-19-2005, 01:04 AM

You might want to look at your logrotate function. Make sure it's not set to something strange like rotate upon maximum size, or on bootup or shutdown etc.
Other than that, really no other ideas.
I suppose you could install webmin and use that to set up your logging facilities

Etraman · 04-19-2005, 03:48 PM

Quote:

Originally posted by vdemuth
You might want to look at your logrotate function. Make sure it's not set to something strange like rotate upon maximum size, or on bootup or shutdown etc.
Other than that, really no other ideas.
I suppose you could install webmin and use that to set up your logging facilities

Logratation seems to be fine too, setup to rotate once a week, which actually happens too. All logs are rotated every week.

Now, some other issues with the server made us decide to upgrade the kernel to 2.6.11.7 today. We booted the server with the new kernel and now syslogging works as it should. On one hand OK, on the other a bit of a pity because now i still don't know what was the cause of this problem.
But there are a few problems that came up using the new kernel so we just might go back to the 2.4.26 kernel if we can't solve those new problems. When that's the case i guess i'll post back in this thread. Otherwise esac.

I do, however, stay curious to actually know what the cause of this problem is/was.

Thnx to everybody for the input ! Much appreciated!

eelriver · 04-20-2005, 12:33 AM

I had this problem when I inadvertently compiled in debugging on something and one of the files in /var/log got to 2G in size. If any file written by the syslog gets that big, no more logging.

Etraman · 04-20-2005, 07:45 PM

Quote:

Originally posted by eelriver
I had this problem when I inadvertently compiled in debugging on something and one of the files in /var/log got to 2G in size. If any file written by the syslog gets that big, no more logging.

Yes, i've read that somewhere too. But the logs on the server are nowhere near that size, i'm afraid.