mtbwacko

Well-Known Member
Nov 30, 2004
59
0
156
I noticed my LogWatch emails started having most of its information missing. I then checled the logs in /var/log and see that many of them have been at 0 bytes for quite some time, specifically the following logs. I am running WHM 10.8.0 cPanel 10.9.0-R34 on CentOS 4.4 i686

acpid
bfd_log
boot.log
chkservd.log
cron
exim_paniclog
maillog
messages
secure
spooler
xferlog
yum.log

Any ideas what to check as to why this is happening??

Thanks,
Dana
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,136
1
168
New York
I noticed my LogWatch emails started having most of its information missing. I then checled the logs in /var/log and see that many of them have been at 0 bytes for quite some time, specifically the following logs. I am running WHM 10.8.0 cPanel 10.9.0-R34 on CentOS 4.4 i686

Any ideas what to check as to why this is happening??

Thanks,
Dana
Before you do anything write down the date and times of those logs, especially if they appear to be all around the same time frame. Might help you later if you go hunting for wumpus in your system. Hackers often blow out your logs when they get in and unless syslogd is restarted you might not see any new data stored in them.
 

mtbwacko

Well-Known Member
Nov 30, 2004
59
0
156
Thanks, restaring it seemed to fix the issue. I'm also going to run a root kit check to b safe.
 

eth00

Well-Known Member
PartnerNOC
Mar 30, 2003
721
1
168
NC
cPanel Access Level
Root Administrator
Check the /var/log/logfile.1 and you will probably find it logging there.

This issue with non-logging is generally a known problem with syslog and noexec /tmp
 

mediast

Member
Dec 22, 2006
5
0
151
Tried searching Google for this in vain...

I have 2 cpanel servers that are not logging to /var/log/messages or /var/log/secure ... I have tried restarting syslog to know avail. Only a reboot corrects this issue, but (mysteriously) logging stops at some point (I only realize this when I need to check the log files and I find that they're all empty again).

Data is not being logged to /var/log/logfile.1

OS is RHEL

Update... I followed up on the: syslog and noexec /tmp tip, and it looks like that might do the trick (I originally figured it was a long shot because I have several other rhel servers that do not have the logging issue).

Also -- A full syslog stop/start seems to temporarily correct the issue (instead of a restart).

Nick
 
Last edited:

krava

Well-Known Member
Sep 23, 2003
149
0
166
cPanel Access Level
Root Administrator
check:

/etc/syslog.conf

and make sure your syslog is configured to log to the files:
/var/log/messages
/var/log/secure

and don't forget about chkrootkit, rkhunter.
 

mediast

Member
Dec 22, 2006
5
0
151
FYI:

It *seems* that the fix is (borrowed from this page)...:

service syslog stop
service syslog start

mkdir /root/tmp; chmod 1777 /root/tmp

vi /etc/cron.daily/logrotate

Add the following line:

export TMPDIR=/root/tmp

Your file should now look like this:

Code:
#!/bin/sh

export TMPDIR=/root/tmp

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0
Save and exit...

Redhat claims that this bug is fixed in updated versions of logrotate, but I'm running the most current version and its not... (?). I fully expect updates to overwrite my changes, so I'm posting this for my information just as much as yours!

Nick
 
Last edited: