The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Log Files 0 Bytes

Discussion in 'General Discussion' started by mtbwacko, Nov 7, 2006.

  1. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I noticed my LogWatch emails started having most of its information missing. I then checled the logs in /var/log and see that many of them have been at 0 bytes for quite some time, specifically the following logs. I am running WHM 10.8.0 cPanel 10.9.0-R34 on CentOS 4.4 i686

    acpid
    bfd_log
    boot.log
    chkservd.log
    cron
    exim_paniclog
    maillog
    messages
    secure
    spooler
    xferlog
    yum.log

    Any ideas what to check as to why this is happening??

    Thanks,
    Dana
     
  2. krava

    krava Well-Known Member

    Joined:
    Sep 23, 2003
    Messages:
    149
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Before you do anything write down the date and times of those logs, especially if they appear to be all around the same time frame. Might help you later if you go hunting for wumpus in your system. Hackers often blow out your logs when they get in and unless syslogd is restarted you might not see any new data stored in them.
     
  4. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, restaring it seemed to fix the issue. I'm also going to run a root kit check to b safe.
     
  5. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Check the /var/log/logfile.1 and you will probably find it logging there.

    This issue with non-logging is generally a known problem with syslog and noexec /tmp
     
  6. mediast

    mediast Member

    Joined:
    Dec 22, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Tried searching Google for this in vain...

    I have 2 cpanel servers that are not logging to /var/log/messages or /var/log/secure ... I have tried restarting syslog to know avail. Only a reboot corrects this issue, but (mysteriously) logging stops at some point (I only realize this when I need to check the log files and I find that they're all empty again).

    Data is not being logged to /var/log/logfile.1

    OS is RHEL

    Update... I followed up on the: syslog and noexec /tmp tip, and it looks like that might do the trick (I originally figured it was a long shot because I have several other rhel servers that do not have the logging issue).

    Also -- A full syslog stop/start seems to temporarily correct the issue (instead of a restart).

    Nick
     
    #6 mediast, Dec 22, 2006
    Last edited: Dec 22, 2006
  7. krava

    krava Well-Known Member

    Joined:
    Sep 23, 2003
    Messages:
    149
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    check:

    /etc/syslog.conf

    and make sure your syslog is configured to log to the files:
    /var/log/messages
    /var/log/secure

    and don't forget about chkrootkit, rkhunter.
     
  8. mediast

    mediast Member

    Joined:
    Dec 22, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    FYI:

    It *seems* that the fix is (borrowed from this page)...:

    service syslog stop
    service syslog start

    mkdir /root/tmp; chmod 1777 /root/tmp

    vi /etc/cron.daily/logrotate

    Add the following line:

    export TMPDIR=/root/tmp

    Your file should now look like this:

    Code:
    #!/bin/sh
    
    export TMPDIR=/root/tmp
    
    /usr/sbin/logrotate /etc/logrotate.conf
    EXITVALUE=$?
    if [ $EXITVALUE != 0 ]; then
        /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
    fi
    exit 0
    Save and exit...

    Redhat claims that this bug is fixed in updated versions of logrotate, but I'm running the most current version and its not... (?). I fully expect updates to overwrite my changes, so I'm posting this for my information just as much as yours!

    Nick
     
    #8 mediast, Dec 22, 2006
    Last edited: Dec 22, 2006
Loading...

Share This Page