Slackware This Forum is for the discussion of Slackware Linux.
|
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free. |
|
 |
12-13-2004, 07:58 AM
|
#1
|
|
Member
Registered: Sep 2003
Distribution: Slackware 10.1, Slamd64 10.1, IpCop 1.4
Posts: 125
Rep: 
|
/var/log/messages empty
I noticed this morning that /var/log/messages is empty. The last file is /var/log/messages.3 which was written on Nov 22 at 13:48.
How do I get the logs back?
|
|
|
|
|
12-13-2004, 08:14 AM
|
#2
|
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Rep:
|
Sounds like syslog isn't running, do a "ps ax | grep syslog" and see what comes up. Then, if the syslog daemon isn't there, restart it and see if it comes back.
|
|
|
|
|
12-13-2004, 08:26 AM
|
#3
|
|
Member
Registered: Sep 2003
Distribution: Slackware 10.1, Slamd64 10.1, IpCop 1.4
Posts: 125
Original Poster
Rep:
|
Okay, that was it. Thanks for the help.
Should I be concerned? syslogd isn't something I would stop, but I see no evidence of an intruder entering. Of course, anyone with privilages to stop syslogd could also cover their tracks.
What should I look for?
|
|
|
|
|
12-13-2004, 08:37 AM
|
#4
|
|
Member
Registered: Jun 2001
Location: Up in the clouds
Distribution: Fedora et al.
Posts: 353
Rep:
|
I'm not the best to field this. But do you have tripwire installed? Or some other form of checksum information for the drive? With syslog down, there really is no way to tell. Check your /etc/passwd for any usernames, do a netstat -l for any open ports, run nessus on your box from a remote box, do a dmesg and see if that shows anything. Do you have a firewall on the box? Dmesg will have iptables info. That's just a start, hopefully somebody else can send you in the right direction. One thing, if this is a production box, you should already have a plan or concept of how you will determine an intrusion, maybe now is the time to document your steps and be ready for next time. Good luck!
Mike.
|
|
|
|
|
12-13-2004, 09:26 AM
|
#5
|
|
Member
Registered: Sep 2003
Distribution: Slackware 10.1, Slamd64 10.1, IpCop 1.4
Posts: 125
Original Poster
Rep:
|
Looks like a false alarm. Turns out syslogd crashed when /var/log/syslog reached 2.0 GB. So, no intruder, but I have another mystery. My syslog.3 file is filled with lines like this:
Code:
Nov 22 13:52:27 Nimitz inetd[2163]: /usr/sbin/famd: exit status 0x1
Nov 22 13:52:27 Nimitz inetd[31722]: execv /usr/sbin/famd: No such file or directory
Looks like dropline gnome strikes again. Dropline stopped working for me, so I did an uninstall, which borked my whole system. I should have just started over at that point, but instead I just used swaret to get X and KDE back. Now I'm regretting that again because fam was a dropline package, and the entry in /etc/inet.d remained after the uninstall.
This isn't what I'd call a production box. Just my home PC. It's protected by an IPCop firewall, so I'm pretty confident no one is getting in, but the missing log files really made me worried.
Thanks for your help. |
|
|
|
|
12-13-2004, 11:43 AM
|
#6
|
|
Senior Member
Registered: Sep 2003
Location: Indiana
Distribution: Slackware-current
Posts: 1,244
Rep:
|
That is one of the problems with dropline that bothers me. It is pretty tough to remove it without reformatting.
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 06:31 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
