Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-13-2004, 07:58 AM
|
#1
|
Member
Registered: Sep 2003
Distribution: Slackware 10.1, Slamd64 10.1, IpCop 1.4
Posts: 125
Rep:
|
/var/log/messages empty
I noticed this morning that /var/log/messages is empty. The last file is /var/log/messages.3 which was written on Nov 22 at 13:48.
How do I get the logs back?
|
|
|
12-13-2004, 08:14 AM
|
#2
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Rep:
|
Sounds like syslog isn't running, do a "ps ax | grep syslog" and see what comes up. Then, if the syslog daemon isn't there, restart it and see if it comes back.
|
|
|
12-13-2004, 08:26 AM
|
#3
|
Member
Registered: Sep 2003
Distribution: Slackware 10.1, Slamd64 10.1, IpCop 1.4
Posts: 125
Original Poster
Rep:
|
Okay, that was it. Thanks for the help.
Should I be concerned? syslogd isn't something I would stop, but I see no evidence of an intruder entering. Of course, anyone with privilages to stop syslogd could also cover their tracks.
What should I look for?
|
|
|
12-13-2004, 08:37 AM
|
#4
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Rep:
|
I'm not the best to field this. But do you have tripwire installed? Or some other form of checksum information for the drive? With syslog down, there really is no way to tell. Check your /etc/passwd for any usernames, do a netstat -l for any open ports, run nessus on your box from a remote box, do a dmesg and see if that shows anything. Do you have a firewall on the box? Dmesg will have iptables info. That's just a start, hopefully somebody else can send you in the right direction. One thing, if this is a production box, you should already have a plan or concept of how you will determine an intrusion, maybe now is the time to document your steps and be ready for next time. Good luck!
Mike.
|
|
|
12-13-2004, 09:26 AM
|
#5
|
Member
Registered: Sep 2003
Distribution: Slackware 10.1, Slamd64 10.1, IpCop 1.4
Posts: 125
Original Poster
Rep:
|
Looks like a false alarm. Turns out syslogd crashed when /var/log/syslog reached 2.0 GB. So, no intruder, but I have another mystery. My syslog.3 file is filled with lines like this:
Code:
Nov 22 13:52:27 Nimitz inetd[2163]: /usr/sbin/famd: exit status 0x1
Nov 22 13:52:27 Nimitz inetd[31722]: execv /usr/sbin/famd: No such file or directory
Looks like dropline gnome strikes again. Dropline stopped working for me, so I did an uninstall, which borked my whole system. I should have just started over at that point, but instead I just used swaret to get X and KDE back. Now I'm regretting that again because fam was a dropline package, and the entry in /etc/inet.d remained after the uninstall.
This isn't what I'd call a production box. Just my home PC. It's protected by an IPCop firewall, so I'm pretty confident no one is getting in, but the missing log files really made me worried.
Thanks for your help.
|
|
|
12-13-2004, 11:43 AM
|
#6
|
Senior Member
Registered: Sep 2003
Location: Indiana
Distribution: Slackware 15.0
Posts: 1,272
Rep:
|
That is one of the problems with dropline that bothers me. It is pretty tough to remove it without reformatting.
|
|
|
All times are GMT -5. The time now is 01:33 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|