Increase in clamd failures after manually updating

[marjwyatt]

Since September 15, 2018, there has been an alarming increase in cpanel monitoring emails related to clamd failures. Since 1:08 AM this morning, there have been nearly 60 notifications related to this. It always seems to recover but I'd like to minimize or eliminate these errors.

What information do you need from me to help troubleshoot this?

 

[cPanelLauren]

Hi @marjwyatt

It does sound like there could be an issue with clamd on your server. Your profile indicates that you're a reseller owner - do you have root access to the server? If not you'll need to contact the provider to address the issue with clamd.

If you do have root access can you please check the following logs for issues related to clamd:

/usr/local/cpanel/logs/error_log

/var/cpanel/clam-update.log

/var/log/messages

Can you also attempt to restart clamd and let me know if you get any errors:

/scripts/restartsrv_clamd

 

[marjwyatt]

Here's what I found:
The contents of this file (/usr/local/cpanel/logs/error_log) date all the way back to the incept date of my VPS. In a subset of the log beginning at September 1, 2018, there is nothing related to clamd.

The contents of this file (/var/cpanel/clam-update.log) were actually found at another location (/var/log/clam-update.log). My first question is related to the location ... should it be where you initially suggested or is it okay where it is? Most of what seems notable in this log is a repeated warning about CLAMAV being outdated. I found a how-to link related to updating it manually here:
ClamavNet.

What is strange about this warning regarding outdated CLAMAV is that there have been several notifications dating all the way back to May 2016. I've never had to manually update it before so will this self correct or does it actually require manual intervention?

I never found this file: /var/log/messages, at least not anywhere in /var/log/. Is there something that I need to do to enable messages on my VPS?

I found another article before I posted my inquiry here. Here's the link:
ttps://documentation.cpanel.net/display/74Docs/Configure+ClamAV+Scanner#59c785fb8e6b40ff909c553292031d32

I have a small VPS with only 2GB of memory and 80GB of disk. In spurious searches, I've noted that there could be memory constraints that are solvable to make ClamAV work peacefully on servers with similarly limited configurations. So, my question to you related the last link I dropped is whether there is something from the cpanel.net documentation that I should implement to avoid capping out memory?

I'd like to wait to hear back from you on what I've posted before I try the restart command which was last on your list. Besides, hile I was typing this reply, I noticed that a new version of CENTOS (v74.0.8) was available so I am implementing it now. It is possible that cpanel is rolling out a fix with this upgrade. (fingers crossed)

 

[cPanelLauren]

Hi @marjwyatt

The contents of this file (/var/cpanel/clam-update.log) were actually found at another location (/var/log/clam-update.log).

That's fine - that's actually the correct location for the log file. When was the last time it was updated per this log? Also what is the error it's indicating in the log? Copy/paste from there should be fine.

I never found this file: /var/log/messages, at least not anywhere in /var/log/. Is there something that I need to do to enable messages on my VPS?

You may need to use journalctl instead - the following should work

journalctl -xe

or

journalctl |grep clamd

I have a small VPS with only 2GB of memory and 80GB of disk. In spurious searches, I've noted that there could be memory constraints that are solvable to make ClamAV work peacefully on servers with similarly limited configurations. So, my question to you related the last link I dropped is whether there is something from the cpanel.net documentation that I should implement to avoid capping out memory?

The documentation you're referencing here:
Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation

Goes over the configuration of ClamAV but I believe we'd be able to see through the logs if you were actually experiencing memory issues which is why it'll be important to get the journalctl information

I'd like to wait to hear back from you on what I've posted before I try the restart command which was last on your list. Besides, hile I was typing this reply

Primarily I want to see if anything goes awry when you restart - please feel free to do this any time.

Also, let me know if you're still seeing issues after the cPanel update.

Thanks!

 

[marjwyatt]

That's fine - that's actually the correct location for the log file. When was the last time it was updated per this log? Also what is the error it's indicating in the log? Copy/paste from there should be fine.

It's very hard to tell if the upgrade solved the problem because it appears that there was a failure within an hour of the upgrade that took the nameserver service down with it. (groan)

It's good to know the log is in the correct location. Here is the most recent entry from that log:

ClamAV update process started at Mon Sep 17 15:17:31 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.0 Recommended version: 0.100.1
DON'T PANIC! Read ClamavNet
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 24948, sigs: 2090217, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)

Here are the results of the command you told me to use:

[email protected] [~]# journalctl |grep clamd
Sep 18 10:46:18 server.example.com systemd[1]: Starting clamd antivirus daemon...
Sep 18 10:47:27 server.example.com systemd[1]: Started clamd antivirus daemon.
Sep 18 11:08:07 server.example.com systemd[1]: clamd.service: main process exited, code=killed, status=9/KILL
Sep 18 11:08:07 server.example.com systemd[1]: Unit clamd.service entered failed state.
Sep 18 11:08:07 server.example.com systemd[1]: clamd.service failed.

This morning, I could not login to my VPS nor collect email. Once I got it rebooted, I downloaded email and found three failure notifications from yesterday evening. Here is the output from those:

spamd notification:

Raw Output: The subprocess reported error number 69 when it ended.
(XID jzn59x) The service “spamd” failed to send the expected response to host “127.0.0.1” and port “783” because of an error: The service did not pass the built-in GTUBE test.

The subprocess “/usr/local/cpanel/scripts/restartsrv_spamd” reported error number 69 when it ended.

Sep 17 16:51:13 server.example.com spamd[718]: prefork: child states: I
Sep 17 16:51:13 server.example.com spamd[718]: spamd: handled cleanup of child pid [858] due to SIGCHLD: KILLED, signal 9 (0009)
Sep 17 16:51:13 server.example.com spamd[718]: spamd: server successfully spawned child process, pid 5130
Sep 17 16:51:14 server.example.com spamd[718]: prefork: child states: I
Sep 17 16:51:15 server.example.com spamd[718]: prefork: child states: I
Sep 17 16:51:15 server.example.com spamd[718]: spamd: handled cleanup of child pid [5130] due to SIGCHLD: KILLED, signal 9 (0009)
Sep 17 16:51:15 server.example.com spamd[718]: spamd: server successfully spawned child process, pid 5138
Sep 17 16:51:15 server.example.com systemd[1]: spamd.service: main process exited, code=killed, status=9/KILL
Sep 17 16:51:15 server.example.com systemd[1]: Unit spamd.service entered failed state.
Sep 17 16:51:15 server.example.com systemd[1]: spamd.service failed.

The system could not provide log messages for “spamd” because it failed to read all of the potential log files with the following errors: Error while attempting to open “/var/log/maillog”: “No such file or directory”, Error while attempting to open “/var/log/messages”: “No such file or directory”, Error while attempting to open “/var/log/secure”: “No such file or directory”
Memory Information

Used

935 MB

Available

1.72 GB

Installed

2 GB

Load Information

16.18 5.xxx.xx
======================================

nameserver failure (and, of course, this is why I couldn't login to WHM until I rebooted it from customer portal)
Service Check Raw Output

(XID rg4bza) The “named” service is down.

The subprocess “/usr/local/cpanel/scripts/restartsrv_named” reported error number 255 when it ended.

Startup Log

Sep 17 16:51:15 server.example.com sh[5136]: -q, --queue use sigqueue(2) rather than kill(2)
Sep 17 16:51:15 server.example.com sh[5136]: -p, --pid print pids without signaling them
Sep 17 16:51:15 server.example.com sh[5136]: -l, --list [=] list signal names, or convert one to a name
Sep 17 16:51:15 server.example.com sh[5136]: -L, --table list signal names and numbers
Sep 17 16:51:15 server.example.com sh[5136]: -h, --help display this help and exit
Sep 17 16:51:15 server.example.com sh[5136]: -V, --version output version information and exit
Sep 17 16:51:15 server.example.com sh[5136]: For more details see kill(1).
Sep 17 16:51:15 server.example.com systemd[1]: named.service: control process exited, code=exited status=1
Sep 17 16:51:15 server.example.com systemd[1]: Unit named.service entered failed state.
Sep 17 16:51:15 server.example.com systemd[1]: named.service failed.

Log Messages
The system could not provide log messages for “named” because it failed to read all of the potential log files with the following errors: Error while attempting to open “/var/log/maillog”: “No such file or directory”, Error while attempting to open “/var/log/messages”: “No such file or directory”, Error while attempting to open “/var/log/secure”: “No such file or directory”

Memory Information
Used
935 MB

Available
1.72 GB

Installed
2 GB

Load Information
16.18 5.58 2.47
========================================

Last, but not least, is the clamd failure notification:

(XID rqgk58) The “clamd” service is down.

The subprocess “/usr/local/cpanel/scripts/restartsrv_clamd” reported error number 255 when it ended.

Sep 17 15:31:05 server.example.com systemd[1]: Starting clamd antivirus daemon...
Sep 17 15:31:22 server.example.com systemd[1]: Started clamd antivirus daemon.
Sep 17 16:51:07 server.example.com systemd[1]: clamd.service: main process exited, code=killed, status=9/KILL
Sep 17 16:51:07 server.example.com systemd[1]: Unit clamd.service entered failed state.
Sep 17 16:51:07 server.example.com systemd[1]: clamd.service failed.

The system could not provide log messages for “clamd” because it failed to read all of the potential log files with the following errors: Error while attempting to open “/var/log/secure”: “No such file or directory”, Error while attempting to open “/var/log/messages”: “No such file or directory”, Error while attempting to open “/var/log/maillog”: “No such file or directory”

Used

1.31 GB

Available

1.23 GB

Installed

2 GB

12.89 5.xxx.xxx
=============================

I'm sorry to possibly overwhelm you with all of this information. Maybe you can find a clue in it and point me toward the direction of a solution.

 

[cPanelLauren]

Hi @marjwyatt

I see a couple of potential concerns based on all that.

1. Your memory concerns may not be far off. Can you run the following and let me know the output:

free -m

sar -r

2. Several log files seem to be missing here they are as they're present on my server:

[[email protected] ~]# stat /var/log/secure
  File: ‘/var/log/secure’
  Size: 2645150       Blocks: 5176       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 396123      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-18 13:49:30.082966484 -0500
Modify: 2018-09-18 13:55:06.079103917 -0500
Change: 2018-09-18 13:55:06.079103917 -0500
 Birth: -
[[email protected] ~]# stat /var/log/maillog
  File: ‘/var/log/maillog’
  Size: 1439205       Blocks: 2824       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 395993      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-18 13:55:55.347123864 -0500
Modify: 2018-09-18 13:55:54.968123711 -0500
Change: 2018-09-18 13:55:54.968123711 -0500
 Birth: -
[[email protected] ~]# stat /var/log/messages
  File: ‘/var/log/messages’
  Size: 1629579       Blocks: 3192       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 396075      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-18 13:54:31.859090031 -0500
Modify: 2018-09-18 13:55:01.147101916 -0500
Change: 2018-09-18 13:55:01.147101916 -0500
 Birth: -

How long has the server been up? Did you manually remove these log files potentially in an attempt to clear space?

 

[marjwyatt]

Here are the results of the commands you requested me to run:

Using username "root".
[email protected]'s password:
Last login: Tue Sep 18 11:09:05 2018 from ip98-176-224-175.sd.sd.cox.net

[email protected] [~]# free -m
              total        used        free      shared  buff/cache   available
Mem:           2048         554        1217           9         275        1336
Swap:           512         402         109
[email protected] [~]# sar -r
Linux 2.6.32-042stab120.19 (server.example.com)       09/18/18       _x86_64_ (24 CPU)

10:46:11          LINUX RESTART

10:50:01    kbmemfree kbmemused  %memused kbbuffers  kbcached  kbcommit   %commit  kbactive   kbinact   kbdirty
11:00:01       950412   1146740     54.68         0    495504         0      0.00    308484    777848       188
11:10:01      1866364    230788     11.00         0     35172         0      0.00    140528     34268        28
11:20:01      1117052    980100     46.73         0    197120         0      0.00    666524    255060        28
11:30:01      1213132    884020     42.15         0    197156         0      0.00    481148    344664        84
11:40:01      1160012    937140     44.69         0    228888         0      0.00    526720    353896       104
11:50:01      1154620    942532     44.94         0    242728         0      0.00    447488    436092       100
12:00:01      1136396    960756     45.81         0    270124         0      0.00    454892    447272        24
Average:      1228284    868868     41.43         0    238099         0      0.00    432255    378443        79
[email protected] [~]#
==================

I procured the VPS service on May 19, 2016. I did not intentionally delete logging but disk space conservation if a concern of mine so, if you are kind enough to direct me in how to implement logs, I do hope you'll include information about how to limit their growth.

I'll check back soon to see what your reply is.

 

[marjwyatt]

Oh. I forgot to add that clamd failed and recovered again during the cycle since my response. Here are the email notifications.

Failure:
(XID eewmh3) The “clamd” service is down.

The subprocess “/usr/local/cpanel/scripts/restartsrv_clamd” reported error number 255 when it ended.

Sep 18 10:46:18 server.example.com systemd[1]: Starting clamd antivirus daemon...
Sep 18 10:47:27 server.example.com systemd[1]: Started clamd antivirus daemon.
Sep 18 11:08:07 server.example.com systemd[1]: clamd.service: main process exited, code=killed, status=9/KILL
Sep 18 11:08:07 server.example.com systemd[1]: Unit clamd.service entered failed state.
Sep 18 11:08:07 server.example.com systemd[1]: clamd.service failed.

The system could not provide log messages for “clamd” because it failed to read all of the potential log files with the following errors: Error while attempting to open “/var/log/maillog”: “No such file or directory”, Error while attempting to open “/var/log/secure”: “No such file or directory”, Error while attempting to open “/var/log/messages”: “No such file or directory”

Used

1.5 GB

Available

1.26 GB

Installed

2 GB

0.41 2.03 1.57

Recovery:
The 'clamd' service passed the check: clamd (/usr/local/cpanel/3rdparty/bin/clamd) is running as root with PID 3544 (systemd+/proc check method).

Sep 18 11:12:40 server.example.com systemd[1]: Starting clamd antivirus daemon...
Sep 18 11:12:53 server.example.com systemd[1]: Started clamd antivirus daemon.

The system could not provide log messages for “clamd” because it failed to read all of the potential log files with the following errors: Error while attempting to open “/var/log/messages”: “No such file or directory”, Error while attempting to open “/var/log/secure”: “No such file or directory”, Error while attempting to open “/var/log/maillog”: “No such file or directory”

Used

1.54 GB

Available

1.25 GB

Installed

2 GB

0.25 1.92 1.80

 

[cPanelLauren]

Hi @marjwyatt

The logs need to be recreated - several services will continue to fail without them. As far as ensuring they don't get too large. The following resources are available:

cPanel Log Rotation:
cPanel Log Rotation Configuration - Version 74 Documentation - cPanel Documentation

This can be configured to rotate several logs specific to cPanel

Log Rotate
logrotate(8) - Linux man page
logrotate is a powerful tool built into your OS that will rotate logs at intervals of your choosing. This can handle all logs but primarily can be used for logs not included with cPanel's log rotation.

HowTo: The Ultimate Logrotate Command Tutorial with 10 Examples
Setting Up Logrotate on RedHat Linux - LinuxConfig.org

 

[marjwyatt]

Thanks for the links that will help me maintain log growth.

You made this statement:

The logs need to be recreated

I imagine you're referring to the logs you noted as missing:

stat /var/log/secure
stat /var/log/maillog
stat /var/log/messages

I can't imagine myself intentionally deleting these log files. I'm not fluent with the command line interface. I'm not sure the logs were setup at the time the VPS was provisioned by my hosting company.

The only reference that I could find to enabling logging on WHM was this:
Tweak Settings - Logging - Version 74 Documentation - cPanel Documentation

That documentation does not appear to create the above missing log files. I used the touch command with no options to create empty files as listed above. Was that the proper way to recreate them?

I guess that I need to await another cPanel monitoring to send another email warning to see if that part of the notification message goes away. Did you have any further suggestions regarding memory usage being a concern?

 

[marjwyatt]

As a post script to my most recent reply, it appears that CentOS 7.1 didn't use the missing log files and, since that is what I requested when I had the VPS provisioned, that would explain why those log files were absent. I got that information from a reply to an inquiry on another forum:
lowendtalk.com/discussion/comment/1341701/#Comment_1341701

 

[cPanelLauren]

Hi @marjwyatt

Yes the three logs that I noted earlier in the stat are the ones that need to be recreated. It's possible they weren't there at setup but very odd - you might want to check with your provider and find out if this was something they did to ensure that it doesn't occur again.

In terms of your memory usage, I apologize for not addressing that but based on what you showed me with the sar command your usage in this respect is really not bad at all. I don't believe you're ever running out of memory, in fact I believe the issue with the services failing is directly related to the logs missing.

That documentation does not appear to create the above missing log files. I used the touch command with no options to create empty files as listed above. Was that the proper way to recreate them?

It might work, though these should be created automatically - most likely what is occurring is something is holding them open. If you run the following what is the output?

 lsof | grep '/var/log/secure'
 lsof | grep '/var/log/messages'
 lsof | grep '/var/log/maillog'

As a post script to my most recent reply, it appears that CentOS 7.1 didn't use the missing log files and, since that is what I requested when I had the VPS provisioned, that would explain why those log files were absent. I got that information from a reply to an inquiry on another forum:
CPanel Issue

The only one I've seen not be used all the time is messages because of systemd's journal. My server running CentOS 7.5 has these log files present as I indicated earlier.

[[email protected] log]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[[email protected] log]# stat /var/log/messages /var/log/maillog /var/log/secure
  File: ‘/var/log/messages’
  Size: 2329146       Blocks: 4560       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 396075      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-19 11:08:45.540057341 -0500
Modify: 2018-09-19 11:10:01.964107076 -0500
Change: 2018-09-19 11:10:01.964107076 -0500
 Birth: -
  File: ‘/var/log/maillog’
  Size: 2013569       Blocks: 3944       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 395993      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-19 11:10:51.112138930 -0500
Modify: 2018-09-19 11:10:50.472138516 -0500
Change: 2018-09-19 11:10:50.472138516 -0500
 Birth: -
  File: ‘/var/log/secure’
  Size: 2914592       Blocks: 5704       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 396123      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-19 10:48:41.365298189 -0500
Modify: 2018-09-19 10:44:49.160151587 -0500
Change: 2018-09-19 10:44:49.160151587 -0500
 Birth: -

 

[marjwyatt]

We are running the same version of CentOS. Oh well, I probably deleted them but I honestly don't remember doing that.

There was a point in time when backup transfers to S3 were failing and the disk was filling up. Amazingly, my hosting company realized they had not been granting me all the disk space I signed up for when I originally requested the service so, after fixing what changed on their end to enable transfer of backups to S3 again, they moved my VPS to another server so I could get all the disk I'd been paying for. (lol)

I checked out Tweak Settings. At this time, I don't have any logging enabled that are options on that settings page. It also appears that those are defaults. Would you recommend enabling any of those logs?

The output from the lsof commands was nothing.

I looked into systemd journal and ran a couple of other commands that I found on this link:
systemd-journald.service(8) - Linux manual page

Here are the results:

[email protected] [~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[email protected] [~]# stat /var/log/messages /var/log/maillog /var/log/secure
File: '/var/log/messages'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: d0h/208d Inode: 37765784 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-09-19 09:02:06.005057932 -0700
Modify: 2018-09-19 08:38:10.720958008 -0700
Change: 2018-09-19 08:38:10.720958008 -0700
Birth: -
File: '/var/log/maillog'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: d0h/208d Inode: 37762735 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-09-19 09:02:06.005057932 -0700
Modify: 2018-09-19 08:38:01.224036439 -0700
Change: 2018-09-19 08:38:01.224036439 -0700
Birth: -
File: '/var/log/secure'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: d0h/208d Inode: 37762731 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2018-09-19 09:02:06.005057932 -0700
Modify: 2018-09-19 08:37:36.176243329 -0700
Change: 2018-09-19 08:37:36.176243329 -0700
Birth: -
[email protected] [~]# lsof | grep '/var/log/secure'
[email protected] [~]# lsof | grep '/var/log/messages'
[email protected] [~]# lsof | grep '/var/log/maillog'
[email protected] [~]# systemd-journald.service
-bash: systemd-journald.service: command not found
[email protected] [~]# systemd-jourland.socket
-bash: systemd-jourland.socket: command not found
[email protected] [~]#

So, maybe I need to do something else to enable systemd journal?

P.S. I have to say that you've been very responsive and helpful, @cPanelLauren. I truly have appreciated your patience and guidance on this issue.

 

[cPanelLauren]

Oh well, I probably deleted them but I honestly don't remember doing that.

I don't know either, it's possible that your hosting provider gave you a server without them present - I've seen stranger things happen.

Based on the commands you ran nothing is holding them open. Can you try restarting rsyslog? I'm curious if this will spawn the files once necessary to write to them - reference: rsyslog not logging

P.S. I have to say that you've been very responsive and helpful, @cPanelLauren. I truly have appreciated your patience and guidance on this issue.

You're welcome! I'm just hoping we can get to the bottom of it!
Thanks!

 

[marjwyatt]

I'm back again with another issue, I guess. Here's the output from my latest putty session:

Using username "root".
[email protected]'s password:
Last login: Wed Sep 19 09:30:24 2018 from ip98-176-224-175.sd.sd.cox.net

[email protected] [~]# logger -s "hi"
root: hi
[email protected] [~]# sudo rsyslogd -N6 | head -10
sudo: rsyslogd: command not found
[email protected] [~]# rsyslogd -version
-bash: rsyslogd: command not found
[email protected] [~]# status rsyslog.service
-bash: status: command not found
[email protected] [~]# systemctl start rsyslog.service
Failed to start rsyslog.service: Unit not found.
[email protected] [~]#

I guess that indicates that rsyslogd is not running or even installed on my VPS. I found what appears to be a helpful link for installing it but I wanted to run this tutorial past you before I embark on this mission. Here's the link:
tecmint.com/create-centralized-log-server-with-rsyslog-in-centos-7/

 

[cPanelLauren]

Hi @marjwyatt

It sounds like it's not installed. What is the output of:

rpm -qa |grep rsyslog

If you get no output I would suggest installing it:

yum install rsyslog

I wouldn't follow the steps in that article unless you want a centralized log server -that's for folks that have multiple servers and just want logs on one.

Once it's installed if you create the files with the same permissions/ownership as the ones I noted then restart syslog does it begin logging?

Thanks!

 

[marjwyatt]

Okay. I installed it. Here's the output from putty:

Using username "root".
[email protected]'s password:
Last login: Wed Sep 19 11:10:11 2018 from ip98-176-224-175.sd.sd.cox.net

[email protected] [~]# rpm -qa rsyslog
[email protected] [~]# yum install rsyslog
Loaded plugins: fastestmirror, universal-hooks
Determining fastest mirrors
* EA4: 216.14.113.158
* cpanel-addons-production-feed: 216.14.113.158
* base: repo.us.bigstepcloud.com
* extras: mirrors.mit.edu
* updates: ftp.osuosl.org
EA4 | 2.9 kB 00:00
cpanel-addons-production-feed | 2.9 kB 00:00
base | 3.6 kB 00:00
cpanel-plugins | 2.9 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
EA4/7/x86_64/primary_db | 890 kB 00:00
Resolving Dependencies
--> Running transaction check
---> Package rsyslog.x86_64 0:8.24.0-16.el7_5.4 will be installed
--> Processing Dependency: libestr >= 0.1.9 for package: rsyslog-8.24.0-16.el7_5.4.x86_64
--> Processing Dependency: libfastjson.so.4()(64bit) for package: rsyslog-8.24.0-16.el7_5.4.x86_64
--> Processing Dependency: libestr.so.0()(64bit) for package: rsyslog-8.24.0-16.el7_5.4.x86_64
--> Running transaction check
---> Package libestr.x86_64 0:0.1.9-2.el7 will be installed
---> Package libfastjson.x86_64 0:0.99.4-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
rsyslog x86_64 8.24.0-16.el7_5.4 updates 607 k
Installing for dependencies:
libestr x86_64 0.1.9-2.el7 base 20 k
libfastjson x86_64 0.99.4-2.el7 base 27 k

Transaction Summary
================================================================================
Install 1 Package (+2 Dependent packages)

Total size: 654 k
Total download size: 634 k
Installed size: 2.0 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): libfastjson-0.99.4-2.el7.x86_64.rpm | 27 kB 00:00
(2/2): rsyslog-8.24.0-16.el7_5.4.x86_64.rpm | 607 kB 00:00
--------------------------------------------------------------------------------
Total 1.6 MB/s | 634 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : libestr-0.1.9-2.el7.x86_64 1/3
Installing : libfastjson-0.99.4-2.el7.x86_64 2/3
Installing : rsyslog-8.24.0-16.el7_5.4.x86_64 3/3
Verifying : libfastjson-0.99.4-2.el7.x86_64 1/3
Verifying : libestr-0.1.9-2.el7.x86_64 2/3
Verifying : rsyslog-8.24.0-16.el7_5.4.x86_64 3/3

Installed:
rsyslog.x86_64 0:8.24.0-16.el7_5.4

Dependency Installed:
libestr.x86_64 0:0.1.9-2.el7 libfastjson.x86_64 0:0.99.4-2.el7

Complete!
[email protected] [~]# rpm -qa | grep rsyslog
rsyslog-8.24.0-16.el7_5.4.x86_64
[email protected] [~]#

Do I need to do any further configuration?

 

[cPanelLauren]

Hi @marjwyatt


I don't believe so - the defaults should be enough. if you create the files with the same permissions/ownership as the ones I noted then restart syslog does it begin logging?

 

[marjwyatt]

if you create the files with the same permissions/ownership as the ones I noted then restart syslog does it begin logging?

I'm not sure what you're referring to when you reference same permissions/ownership. I can't find your response where you specifically noted creating the files with particular permissions/ownership. I created the files using the touch command and, as of this writing, it is a regular empty file.

Using username "root".
[email protected]'s password:
Last login: Wed Sep 19 12:02:18 2018 from ip98-176-224-175.sd.sd.cox.net

[email protected] [~]# stat /var/log/messages /var/log/maillog /var/log/secure
  File: '/var/log/messages'
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: d0h/208d        Inode: 37765784    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-19 09:02:06.005057932 -0700
Modify: 2018-09-19 08:38:10.720958008 -0700
Change: 2018-09-19 08:38:10.720958008 -0700
 Birth: -
  File: '/var/log/maillog'
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: d0h/208d        Inode: 37762735    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-19 09:02:06.005057932 -0700
Modify: 2018-09-19 08:38:01.224036439 -0700
Change: 2018-09-19 08:38:01.224036439 -0700
 Birth: -
  File: '/var/log/secure'
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: d0h/208d        Inode: 37762731    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-19 09:02:06.005057932 -0700
Modify: 2018-09-19 08:37:36.176243329 -0700
Change: 2018-09-19 08:37:36.176243329 -0700
 Birth: -
[email protected] [~]#

 

[luigidelgado]

Since September 15, 2018, there has been an alarming increase in cpanel monitoring emails related to clamd failures. Since 1:08 AM this morning, there have been nearly 60 notifications related to this. It always seems to recover but I'd like to minimize or eliminate these errors.

What information do you need from me to help troubleshoot this?

Hello,
We are experiencing the same thing. We have been having sporadic issues with clamAV in about 3 servers from around 17. Looks like a service (dont know which one but looks like named) is taking more memory than expected.