Operating System - HP-UX
1747984 Members
4794 Online
108756 Solutions
New Discussion юеВ

Re: syslog.log disappears

 
John Ferrara
Frequent Advisor

syslog.log disappears

Please help! My /var/adm/syslog/syslog.log file keeps magically disappearing from my systems. These systems are running 10.20 and are trusted. I'm also running power broker.

John
It was working fine when I left....what did you do?
8 REPLIES 8
James Beamish-White
Trusted Contributor

Re: syslog.log disappears

Hi John,

Have you checked your root crontab? You may have a log cleanup script running somewhere that has an error in it. Remember never to move a file which is open by a process. It instead needs to be zero'd by cat /dev/null > file.

You could also try restarting syslogd

/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start

Cheers,
James
GARDENOFEDEN> create light
Frank Gilsdorf
Advisor

Re: syslog.log disappears

Hi John,

you have to create an empty syslog-file. Otherwise it wouldn't be automatically created. Test with:

touch /var/adm/syslog/syslog.log

Also have a look at your /etc/syslog.conf. It must not have any blanks. Only is allowed! It's a feature no a bug.

Frank
John Ferrara
Frequent Advisor

Re: syslog.log disappears

James,

I do not have a clean up script in cron. After I've discovered that my syslog.log file is gone, what I do is stop syslogd and touch syslog.log. I make sure that the file has the same permissions as other syslog.log files on my other systems. It will hang around for a few days or a week then dissappear again.

John
It was working fine when I left....what did you do?
James Beamish-White
Trusted Contributor

Re: syslog.log disappears

Er, ick. OK, my paranoia jumps to the fore and says 'hacker trying to disguise his tracks', but that's only cos I'm paranoid.

What you do to find this depends on how your system is set up. When you touch it, ensure it's chmod 644 and chown root:sys. That'll make sure only root can remove it. You could install tripwire (http://www.tripwire.com/downloads/tripwire_asr) and fine out when it disappears, and if it's a user who does it. You could write a cron job to check if it's there, then send a bit of it to you:

if [ -f /var/adm/syslog/syslog.log ] ; then
tail /var/adm/syslog/syslog.log | mail you@yourdomain
else
echo "syslog is gone!" | mail you@yourdomain
...anything else...
fi

Once you find out when it disappears, you can check the sulog and lastlog to see who's logged in at the time. These logs aren't disappearing too are they?

You might also want to check out the syslogd patches out there and see if this has occurred as a bug.

Cheers,
James
GARDENOFEDEN> create light
John Ferrara
Frequent Advisor

Re: syslog.log disappears

Frank,

I checked my syslog.conf file and it did have spaces. I've replaced them w/ TABs. I'll see if that does the trick.

Thanks,
John
It was working fine when I left....what did you do?
John Bolene
Honored Contributor

Re: syslog.log disappears

I've never had a syslog file just be gone.

Sounds like it is being removed on purpose by someone.

I would probably set up another job that does a
tail -f /var/adm/syslog.log > myfile

at least this way you get to see what was in the file that dissapeared.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
melvyn burnard
Honored Contributor

Re: syslog.log disappears

I would also do as Jon suggests, but change it to be a cron job every 5 or 10 seconds
tail -5 /var/adm/syslog.log >> myfile
you could still do the
tail -f /var/adm/syslog.log > myfile

as an additional check I would also check to see who may have root uid or passwd, or better yet, change the root passwd NOW!




My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
John Ferrara
Frequent Advisor

Re: syslog.log disappears

I'm the only one w/ root access. I don't think I'm being hacked b/c I'm behind a secure firewall and nothing else is being disturbed, no one is ftp'ing files or anything. The root passwd is changed every 35 days and there is no /.rhosts file.
It was working fine when I left....what did you do?