lfd on example.com SYSLOG Check Failed - Problem with logging.

peterk · Feb 27, 2023

Hello,

For the past few days I have been receiving emails with the following message:

Time: Sat Feb 25 20:17:35 2023 +0100

Error: Failed to detect code [Uzu5u0Wiuq8DgDhIZ0MP7H9xUNYs] in SYSLOG_LOG [var/log/messages]



SYSLOG may not be running correctly on server.example.com

The issue is strange because I have not done anything with the server recently.
I also noticed that the logger also does not save information in var/log/messages

When I perform the test nothing is saved in the log.

[[email protected] log]# logger -p auth.notice "test-log"

[[email protected] log]# grep "test-log" var/log/messages

[[email protected] log]#

I have tried several ways from the forum to solve the problem but nothing works.

cPRex · Feb 27, 2023

Hey there! This could be an issue with rsyslog, as outlined here:

Loading…

support.cpanel.net

It looks like you've performed the first test in that article already, so can you try the stat portion to see if that helps?

peterk · Feb 27, 2023

Hello,

I tried this solution but unfortunately it does not work.
It looks like rsyslog is working but not saving any information.

The system is a new installation from two weeks ago, I did not make any changes to etc/rsyslog.conf or etc/systemd/journald.conf
All settings are default.

peterk · Feb 28, 2023

Hello,

I found the solution to my problem - maybe it will be useful to someone.
The problem was caused by the journal system, its files were corrupted, below is how I fixed it.

I verified the files by:
journalctl --verify

This is where the errors occurred.

Next rotate files:
journalctl --rotate

Then I delete the old entries:
journalctl --vacuum-time=1s

I then delete all files from the directory:
var/log/journal

Then delete the file:
var/lib/rsyslog/imjournal.state

(This file stores the rsyslog state for journal file reading)
The files will be restored after restarting the services.

Now you just need to restart the services:

systemctl restart systemd-journald.socket

systemctl restart systemd-journald

systemctl restart rsyslog

And everything is back to normal.

cPRex · Feb 28, 2023

I'm glad you were able to come up with a good workaround!

Thread starter	Similar threads	Forum	Replies	Date
	lfd - Suspicious process running under user nobody	Security	5	Oct 27, 2022
	LFD - Suspicious process running under user postgres	Security	7	May 30, 2022
J	lfd on server.com: Suspicious process running under user username	Security	6	May 2, 2022
M	Very high CPU loads from brute force attempts - CSF/LFD	Security	14	Apr 26, 2022
T	LFD log line	Security	1	Jan 17, 2022

Search

Search

lfd on example.com SYSLOG Check Failed - Problem with logging.

peterk

Member

cPRex

Jurassic Moderator

Loading…

peterk

Member

peterk

Member

cPRex

Jurassic Moderator