Syslog problem

Syslog problem

Post by Mark » Fri, 11 Jan 2002 13:41:32



I have  a E450 - Solaris 8 running sendmail with Brightmail anti-spam
software front ending our internal mail servers.

A few days ago, the root partition got close to 100% capacity and I deleted
/var/log/syslog (I honestly can't remember if I stopped syslogd first so
let assume the worst.)  Since that time nothing has been written to
/var/log/syslog.  

I have tried stopping and starting syslog numerous times, I've deleted and
recreated /var/log/syslog several times (644 permissions) and the box has
even been rebooted and still nothing.  I've tried stopping syslogd and
manually starting syslogd by /usr/sbin/syslogd -d with the following output:

/usr/sbin/syslogd -d
getnets() found 1 addresses, they are: 0.0.0.0.2.2
amiloghost() testing 192.168.2.99.2.2
I am loghost
cfline(*.err;kern.notice;auth.notice;local0.none;local1.none                
    /dev/sysmsg)
cfline(*.err;kern.debug;daemon.notice;mail.crit;local0.none;local1.none
/var/adm/messages)
cfline(*.alert;kern.err;daemon.err;local0.none;local1.none                  
    operator)
cfline(*.alert;local0.none;local1.none                                      
    root)
cfline(*.emerg;local0.none;local1.none                                      
    *)
cfline(mail.debug       -/var/log/syslog)
cfline(local0.debug            
/var/opt/SUNWssp/.ssp_private/machine_server_fifo)
syslogd: /var/opt/SUNWssp/.ssp_private/machine_server_fifo - no reader
cfline(local1.debug            
/var/opt/SUNWssp/.ssp_private/machine_server_fifo)
syslogd: /var/opt/SUNWssp/.ssp_private/machine_server_fifo - no reader

  syslogd: version 1.84
  Started: Wed Jan  9 20:06:06 2002
Input message count: system 0, network 0
# Outputs: 8

5 3 3 3 5 3 3 3 3 3 3 3 3 3 3 3 X X 3 3 3 3 3 3 X CONSOLE: /dev/sysmsg
7 3 2 5 3 3 3 3 3 3 3 3 3 3 3 3 X X 3 3 3 3 3 3 X FILE: /var/adm/messages
3 1 1 3 1 1 1 1 1 1 1 1 1 1 1 1 X X 1 1 1 1 1 1 X USERS: operator
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 X X 1 1 1 1 1 1 X USERS: root
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X X 0 0 0 0 0 0 X WALL:
X X 7 X X X X X X X X X X X X X X X X X X X X X X USERS: -/var/log/syslog
X X X X X X X X X X X X X X X X 7 X X X X X X X X UNUSED:
X X X X X X X X X X X X X X X X X 7 X X X X X X X UNUSED:

                Per File Statistics
File                            Tot     Dups    Nofwd   Errs
----                            ---     ----    -----   ----
/dev/sysmsg                     0       0       0       0
/var/adm/messages               0       0       0       0
operator                        0       0       0       0
root                            0       0       0       0
WALL                            0       0       0       0
-/var/log/syslog                0       0       0       0
        0       0       0       0
        0       0       0       0

syslogd: restarted
off & running....
sys_poll blocking, init_cnt=0
Logging to CONSOLE /dev/sysmsg
Logging to USERS
Logging to CONSOLE /dev/sysmsg
Logging to USERS
Logging to CONSOLE /dev/sysmsg
Logging to USERS
Logging to CONSOLE /dev/sysmsg
Logging to USERS
.
.
.

The best I can tell this looks OK(?)  I am getting messages written to
/var/adm/messages so I am at a loss.  Any ideas?

Here is my syslogd.conf file

Quote:># cat /etc/syslog.conf


#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice;local0.none;local1.none                  
/dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit;local0.none;local1.none        
/var/adm/messages

*.alert;kern.err;daemon.err;local0.none;local1.none                    
operator
*.alert;local0.none;local1.none                                         root

*.emerg;local0.none;local1.none                                         *

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:

mail.debug      -/var/log/syslog

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#

# SUNWsspr start
# SSP logging:
local0.debug            /var/opt/SUNWssp/.ssp_private/machine_server_fifo
# Uncomment to enable SSP netcon session logging:
local1.debug            /var/opt/SUNWssp/.ssp_private/machine_server_fifo
# SUNWsspr end

Thanks in advance for any help.
--
Mark Frank - CCNP, CCDP
Networking Engineer - Network Services LLC
mfrank at networkservices dot net
"The fix is only temporary...unless it works." - Red Green

 
 
 

Syslog problem

Post by C. Armou » Fri, 11 Jan 2002 13:55:58



> A few days ago, the root partition got close to 100% capacity and I deleted
> /var/log/syslog (I honestly can't remember if I stopped syslogd first so
> let assume the worst.)  Since that time nothing has been written to
> /var/log/syslog.

Best thing is just to truncate log files.  Never delete, but anyway...

Quote:> I have tried stopping and starting syslog numerous times, I've deleted and
> recreated /var/log/syslog several times (644 permissions) and the box has
> even been rebooted and still nothing.  I've tried stopping syslogd and
> manually starting syslogd by /usr/sbin/syslogd -d with the following output:
> -/var/log/syslog                0       0       0       0

and

Quote:> mail.debug      -/var/log/syslog

Is there a reason why the filename is "-/var/log/syslog"?  This is
probably the error.  Remove the '-' and it will work as before!

Quote:> "The fix is only temporary...unless it works." - Red Green

Ah, Red... once a GIANT of comedy (until the CBC *ed it up).

cda

--
Rhythm and Colour at Park Mooting.  Peredos Last in the Grand Natural.
Velivision victor.  Dubs newstage oldtime turf-tussle, recalling Winny
Willy Widger.  Two draws.  Heliotrope leads from Harem.  Three ties.
Jockey the Ropper jerks Jake the*.  Paddrock and bookley chat.

And here are the details.

        -- Finnegans Wake

 
 
 

Syslog problem

Post by Volker Borcher » Fri, 11 Jan 2002 21:40:53



>> mail.debug      -/var/log/syslog
> Is there a reason why the filename is "-/var/log/syslog"?  This is
> probably the error.  Remove the '-' and it will work as before!

A Linux-ism. IIRC the leading '-' means "don't fsync() after write()".

--



 
 
 

Syslog problem

Post by Mark » Sat, 12 Jan 2002 00:37:52



> Best thing is just to truncate log files.  Never delete, but anyway...

Agreed.  I'm a router guy not a seasoned UNIX guy and I paniced.  I'm
scripting a log rotation...now.

Quote:>> mail.debug      -/var/log/syslog

> Is there a reason why the filename is "-/var/log/syslog"?  This is
> probably the error.  Remove the '-' and it will work as before!

Removing the '-' worked.  What I don't understand is how this worked in the
first place.  I had never even looked at syslog.conf until I started having
problems.

Quote:

>> "The fix is only temporary...unless it works." - Red Green

> Ah, Red... once a GIANT of comedy (until the CBC *ed it up).

I'm a newbie with Red Green as well as Solaris.

--
Mark Frank - CCNP, CCDP
Networking Engineer - Network Services LLC
mfrank at networkservices dot net
"The fix is only temporary...unless it works." - Red Green