topic Re: syslog.log disappears in Operating System - HP-UX

syslog.log disappears

John Ferrara — Thu, 25 Oct 2001 12:16:43 GMT

Please help! My /var/adm/syslog/syslog.log file keeps magically disappearing from my systems. These systems are running 10.20 and are trusted. I'm also running power broker.

John

Re: syslog.log disappears

James Beamish-White — Thu, 25 Oct 2001 12:22:33 GMT

Hi John,

Have you checked your root crontab? You may have a log cleanup script running somewhere that has an error in it. Remember never to move a file which is open by a process. It instead needs to be zero'd by cat /dev/null > file.

You could also try restarting syslogd

/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start

Cheers,
James

Re: syslog.log disappears

Frank Gilsdorf — Thu, 25 Oct 2001 12:27:03 GMT

Hi John,

you have to create an empty syslog-file. Otherwise it wouldn't be automatically created. Test with:

touch /var/adm/syslog/syslog.log

Also have a look at your /etc/syslog.conf. It must not have any blanks. Only is allowed! It's a feature no a bug.

Frank

Re: syslog.log disappears

John Ferrara — Thu, 25 Oct 2001 12:33:17 GMT

James,

I do not have a clean up script in cron. After I've discovered that my syslog.log file is gone, what I do is stop syslogd and touch syslog.log. I make sure that the file has the same permissions as other syslog.log files on my other systems. It will hang around for a few days or a week then dissappear again.

John

Re: syslog.log disappears

James Beamish-White — Thu, 25 Oct 2001 12:43:34 GMT

Er, ick. OK, my paranoia jumps to the fore and says 'hacker trying to disguise his tracks', but that's only cos I'm paranoid.

What you do to find this depends on how your system is set up. When you touch it, ensure it's chmod 644 and chown root:sys. That'll make sure only root can remove it. You could install tripwire (http://www.tripwire.com/downloads/tripwire_asr) and fine out when it disappears, and if it's a user who does it. You could write a cron job to check if it's there, then send a bit of it to you:

if [ -f /var/adm/syslog/syslog.log ] ; then
tail /var/adm/syslog/syslog.log | mail you@yourdomain
else
echo "syslog is gone!" | mail you@yourdomain
...anything else...
fi

Once you find out when it disappears, you can check the sulog and lastlog to see who's logged in at the time. These logs aren't disappearing too are they?

You might also want to check out the syslogd patches out there and see if this has occurred as a bug.

Cheers,
James

Re: syslog.log disappears

John Ferrara — Thu, 25 Oct 2001 12:43:36 GMT

Frank,

I checked my syslog.conf file and it did have spaces. I've replaced them w/ TABs. I'll see if that does the trick.

Thanks,
John

Re: syslog.log disappears

John Bolene — Thu, 25 Oct 2001 12:55:36 GMT

I've never had a syslog file just be gone.

Sounds like it is being removed on purpose by someone.

I would probably set up another job that does a
tail -f /var/adm/syslog.log > myfile

at least this way you get to see what was in the file that dissapeared.

Re: syslog.log disappears

melvyn burnard — Thu, 25 Oct 2001 13:02:59 GMT

I would also do as Jon suggests, but change it to be a cron job every 5 or 10 seconds
tail -5 /var/adm/syslog.log >> myfile
you could still do the
tail -f /var/adm/syslog.log > myfile

as an additional check I would also check to see who may have root uid or passwd, or better yet, change the root passwd NOW!

Re: syslog.log disappears

John Ferrara — Thu, 25 Oct 2001 13:18:27 GMT

I'm the only one w/ root access. I don't think I'm being hacked b/c I'm behind a secure firewall and nothing else is being disturbed, no one is ftp'ing files or anything. The root passwd is changed every 35 days and there is no /.rhosts file.