Server Log Files 0 Bytes

[mtbwacko]

I noticed my LogWatch emails started having most of its information missing. I then checled the logs in /var/log and see that many of them have been at 0 bytes for quite some time, specifically the following logs. I am running WHM 10.8.0 cPanel 10.9.0-R34 on CentOS 4.4 i686

acpid
bfd_log
boot.log
chkservd.log
cron
exim_paniclog
maillog
messages
secure
spooler
xferlog
yum.log

Any ideas what to check as to why this is happening??

Thanks,
Dana

 

[krava]

Hello.

did you try to restart syslog ?
#/etc/rc.d/init.d/syslog stop
#/etc/rc.d/init.d/syslog start

Additionally, I advise you to check your box using chkrootkit and rkhunter:
http://www.chkrootkit.org/
http://www.rootkit.nl/

 

[nyjimbo]

I noticed my LogWatch emails started having most of its information missing. I then checled the logs in /var/log and see that many of them have been at 0 bytes for quite some time, specifically the following logs. I am running WHM 10.8.0 cPanel 10.9.0-R34 on CentOS 4.4 i686

Any ideas what to check as to why this is happening??

Thanks,
Dana

Before you do anything write down the date and times of those logs, especially if they appear to be all around the same time frame. Might help you later if you go hunting for wumpus in your system. Hackers often blow out your logs when they get in and unless syslogd is restarted you might not see any new data stored in them.

 

[mtbwacko]

Thanks, restaring it seemed to fix the issue. I'm also going to run a root kit check to b safe.

 

[eth00]

Check the /var/log/logfile.1 and you will probably find it logging there.

This issue with non-logging is generally a known problem with syslog and noexec /tmp

 

[mediast]

Tried searching Google for this in vain...

I have 2 cpanel servers that are not logging to /var/log/messages or /var/log/secure ... I have tried restarting syslog to know avail. Only a reboot corrects this issue, but (mysteriously) logging stops at some point (I only realize this when I need to check the log files and I find that they're all empty again).

Data is not being logged to /var/log/logfile.1

OS is RHEL

Update... I followed up on the: syslog and noexec /tmp tip, and it looks like that might do the trick (I originally figured it was a long shot because I have several other rhel servers that do not have the logging issue).

Also -- A full syslog stop/start seems to temporarily correct the issue (instead of a restart).

Nick

 

[krava]

check:

/etc/syslog.conf

and make sure your syslog is configured to log to the files:
/var/log/messages
/var/log/secure

and don't forget about chkrootkit, rkhunter.

 

[mediast]

FYI:

It *seems* that the fix is (borrowed from this page)...:

service syslog stop
service syslog start

mkdir /root/tmp; chmod 1777 /root/tmp

vi /etc/cron.daily/logrotate

Add the following line:

export TMPDIR=/root/tmp

Your file should now look like this:

#!/bin/sh

export TMPDIR=/root/tmp

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

Save and exit...

Redhat claims that this bug is fixed in updated versions of logrotate, but I'm running the most current version and its not... (?). I fully expect updates to overwrite my changes, so I'm posting this for my information just as much as yours!

Nick