HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

/var/adm/syslog/mail.log and syslog.log not updating

 
SOLVED
Go to solution
The Gunners
Regular Advisor

/var/adm/syslog/mail.log and syslog.log not updating

Hi ,
I was just doing a general scoot around the system and noticed the following files have not been updated in a few months - Anyone any ideas ? - I have no space issues at all

-r--r--r-- 1 root root 28050618 Aug 13 16:03 mail.log
-rw-r--r-- 1 root root 98776950 Aug 13 16:29 syslog.log
16 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi Davey:

This sounds as if someone tried to trim (null) the files by moving the current file to "*.old" and then touching (or redirecting '/dev/null' into a new file). This leaves the open file descriptor pointing at the ".old" file.

The correct way to preserve data and trim to zero bytes is to 'cp' the current file as "*.old" and then redirect (truncate) the current file.

Regards!

...JRF...

Pete Randall
Outstanding Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

So the answer is to restart the respective daemons so they do end up pointing to the correct files.


Pete

Pete
Kapil Jha
Honored Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Restart the mail daemon and syslogd and use logger to check if it is working fine

#logger "checking if its working"

BR,
Kapil+
I am in this small bowl, I wane see the real world......
Suraj K Sankari
Honored Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi,
>>I have no space issues at all

If you have not a space issue problem then you can leave those files as they are.

If you want to trim those files then you can take a backup copy of them and trim the file.

>mail.log
>syslog.log

Suraj
The Gunners
Regular Advisor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Thanks everyone for info so far , it does seem to be functioning fine , I got an email to my outlook from this system this morning with backup log details , so mail does seem to be working , even though it says the last entry was on August 13 , Im still a bit confused to be honest , which file is it actually writing to now Im wondering ?

Re: /var/adm/syslog/mail.log and syslog.log not updating

>which file is it actually writing to now Im wondering?

You could use lsof to see where it is writing.
unix adm
Regular Advisor
Solution

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi Davey,
You can see /etc/syslog.conf there is you can find what logs are going where.

Restart syslog daemon and sendmail daemon

/sbin/init.d/syslog.d stop
/sbin/init.d/syslog.d start

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

this should rename the current file to old one and restart writing the fresh syslgo.log file, then using logger message command check if it is logging OK in the syslog.log file with correct date.

If still does not help try ftping syslogn.conf file from another working system and restart the daemons, this should help.

also , I know its stupid but check the date of your system as you said your mails are still working.


Thanks

Raj
Bill Hassell
Honored Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

> it does seem to be functioning fine , I got an email to my outlook from this system this morning with backup log details , so mail does seem to be working , even though it says the last entry was on August 13 , Im still a bit confused to be honest , which file is it actually writing to now Im wondering ?

Always test syslogd with logger as mentioned above. These two commands will put an entry at the end of the two logs (assuming you have a standard syslog.conf file):

logger "testing syslog.log"
logger -p mail.info "testing mail.log"

If nothing shows up, then syslogd is not running or not writing to the current syslog.log and mail.log files. Stop and restart syslogd and repeat the logger test. If logger still does not write anything new, then list the syslog.conf file using cat -t:

cat -t /etc/syslog.conf
mail.debug^I^I/var/adm/syslog/mail.log
*.info;mail.none;local5.none;auth.none^I/var/adm/syslog/syslog.log
auth.info^I^I/var/adm/syslog/auth.log
local5.info^I^I/var/adm/syslog/ftpd.log
*.alert^I^I^I/dev/console
*.alert^I^I^Iroot
*.emerg^I^I^I*

There must be *NO* spaces anywhere in the file. The ^I symbol is the TAB character but in vi, it looks like spaces. This space character restriction has always existed for syslogd.


Bill Hassell, sysadmin
The Gunners
Regular Advisor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi Everyone , ok , STopped / restarted both and this is what I get left with - looks like its created a new syslog.log , but the mail file looks the same one , v strange

kilhp01:/ # /sbin/init.d/syslogd start
System message logger started
kilhp01:/ #
kilhp01:/ # /sbin/init.d/sendmail stop
Sendmail pid is 1253
Killing sendmail
Please wait .....
Sendmail killed.
kilhp01:/ # /sbin/init.d/sendmail start
/etc/mail/aliases: 7 aliases, longest 9 bytes, 88 bytes total
sendmail
kilhp01:/ # pwd
/
kilhp01:/ # cd /var/adm/syslog
kilhp01:/var/adm/syslog #
kilhp01:/var/adm/syslog #
kilhp01:/var/adm/syslog # ls -al
total 247776
dr-xr-xr-x 2 bin bin 96 Oct 13 14:21 .
drwxr-xr-x 15 adm adm 8192 Apr 2 2008 ..
-rw-r--r-- 1 root root 98776950 Aug 13 16:29 OLDsyslog.log
-r--r--r-- 1 root root 28050618 Aug 13 16:03 mail.log
-rw-r--r-- 1 root sys 0 Oct 13 14:21 syslog.log
James R. Ferguson
Acclaimed Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi (again) Davey:

> looks like its created a new syslog.log , but the mail file looks the same one

Re-read Bill's comments about 'syslog.conf'. You can NOT use _spaces_ to delineate fields. You must use _tab_ characters instead. You can examine your 'syslog.conf' by doing:

# cat -etv /etc/syslog.conf

This will expose TAB characters and allow you to easily differentiate them from SPACEs.

Regards!

...JRF...
The Gunners
Regular Advisor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi James , just had another quick look there , it seems ok now , I must have done the ls -al too quickly , and the new mail file hadnt restarted at that stage mabey ? - Points on the way folks!

kilhp01:/var/adm/syslog # ls -al
total 269216
dr-xr-xr-x 2 bin bin 96 Oct 13 14:21 .
drwxr-xr-x 15 adm adm 8192 Apr 2 2008 ..
-rw-r--r-- 1 root root 98776950 Aug 13 16:29 OLDsyslog.log
-r--r--r-- 1 root root 28051458 Oct 13 14:31 mail.log
-rw-r--r-- 1 root sys 10974254 Oct 13 14:41 syslog.log
The Gunners
Regular Advisor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi again folks , Im still concerned with this one. I managed to restart daemons and all seemed ok as I said in earlier post. However Im v concerned at the huge increase in size (even since yesterday of the syslog.log - see below , what could be causing this ?

-rw-r--r-- 1 root sys 856953472 Oct 14 15:30 syslog.log

-rw-r--r-- 1 root sys 1471363724 Oct 15 11:12 syslog.log

TTr
Honored Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

This is a different problem. The syslog is probably working fine and doing its job. The cause of all this logging is not normal. Now you have to look inside the syslog.log file to see what kind of messages are getting posted and find what is problem is. There is probably some flaky hardware or software that is flooding the syslog with error messages.
Most likely it is the reason the syslog daemon was turned off in the first place.
The Gunners
Regular Advisor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Ok Hmmmm , just had a look the last 500 lines. This is message that you can see in the syslog.log file as far as the eye can see
Oct 15 11:45:35 kilhp01 vmunix: function == 0x7A8E80, arg == 0x416C3400, ticks =
= 0xDF234640, flags == 0x0
Oct 15 11:45:35 kilhp01 vmunix: function == 0x7A8E80, arg == 0x416C3400, ticks =
= 0xDF23463F, flags == 0x0
Oct 15 11:45:35 kilhp01 vmunix: function == 0x7A8E80, arg == 0x416C3400, ticks =
= 0xDF23463E, flags == 0x0
Oct 15 11:45:35 kilhp01 vmunix: function == 0x7A8E80, arg == 0x416C3400, ticks =
= 0xDF23463D, flags == 0x0
unix adm
Regular Advisor

Re: /var/adm/syslog/mail.log and syslog.log not updating

Hi Davey,

Dont go by the block size there run du -sk command to see the actual usage.


cd /var/adm/syslog/


du -sk *|sort -n

This is all mounted under /var. I think u should be only worried if there is a space issue with /var fs does it keep on feeling etc?

if no and the growth is normal and don't worry also if you want to do some houskeeping on this file using some script evrryday you can rename as per the date wise and start new systlog file and after 7 days delet the files.

if there is space issue with /var.

1st you should look if , is it syslog.log causing issue or something else.
u can find out the space utilization using the commands given above.

cd /var
du -sk * |sort -n

(above command will give you the space utilization in sorted way) u can go in high utilization dir and run the same command to see which is using most and if there is anything whcih can be deleted.
TTr
Honored Contributor

Re: /var/adm/syslog/mail.log and syslog.log not updating

You can run "tail -f /var/adm/syslog/syslog.log" to see the syslog file being updated live. There is probably millions of these lines.
There is definitely something wrong in the kernel. You should seriously look into installing some patches (SCSI) on this server.

Take a look at these threads

https://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1236170

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1167624

I think it would be wise to turn of the sysolgd at this time before it filles up your disk. You have enough error messages to check the error with HP if needed. When you have fixed the error you can turn on syslogd again.