/var/log/messages empty

Phathead · 12-13-2004, 07:58 AM

I noticed this morning that /var/log/messages is empty. The last file is /var/log/messages.3 which was written on Nov 22 at 13:48.

How do I get the logs back?

mikeyt_333 · 12-13-2004, 08:14 AM

Sounds like syslog isn't running, do a "ps ax | grep syslog" and see what comes up. Then, if the syslog daemon isn't there, restart it and see if it comes back.

Phathead · 12-13-2004, 08:26 AM

Okay, that was it. Thanks for the help.

Should I be concerned? syslogd isn't something I would stop, but I see no evidence of an intruder entering. Of course, anyone with privilages to stop syslogd could also cover their tracks.

What should I look for?

mikeyt_333 · 12-13-2004, 08:37 AM

I'm not the best to field this. But do you have tripwire installed? Or some other form of checksum information for the drive? With syslog down, there really is no way to tell. Check your /etc/passwd for any usernames, do a netstat -l for any open ports, run nessus on your box from a remote box, do a dmesg and see if that shows anything. Do you have a firewall on the box? Dmesg will have iptables info. That's just a start, hopefully somebody else can send you in the right direction. One thing, if this is a production box, you should already have a plan or concept of how you will determine an intrusion, maybe now is the time to document your steps and be ready for next time. Good luck!

Mike.

Phathead · 12-13-2004, 09:26 AM

Looks like a false alarm. Turns out syslogd crashed when /var/log/syslog reached 2.0 GB. So, no intruder, but I have another mystery. My syslog.3 file is filled with lines like this:

Code:

Nov 22 13:52:27 Nimitz inetd[2163]: /usr/sbin/famd: exit status 0x1
Nov 22 13:52:27 Nimitz inetd[31722]: execv /usr/sbin/famd: No such file or directory

Looks like dropline gnome strikes again. Dropline stopped working for me, so I did an uninstall, which borked my whole system. I should have just started over at that point, but instead I just used swaret to get X and KDE back. Now I'm regretting that again because fam was a dropline package, and the entry in /etc/inet.d remained after the uninstall.

This isn't what I'd call a production box. Just my home PC. It's protected by an IPCop firewall, so I'm pretty confident no one is getting in, but the missing log files really made me worried.

Thanks for your help.

ringwraith · 12-13-2004, 11:43 AM

That is one of the problems with dropline that bothers me. It is pretty tough to remove it without reformatting.