System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

/var/log/messages fills with loopback

 
Antonio Del Pino
Occasional Visitor

/var/log/messages fills with loopback

Has anyone run into similar issues?
Issue: /var/log/messages fills with loopback connection entries
from snmpd since running up2date or https://ip-server:2381 does not work . Not sure if the issue is with syslogd or snmp as they were both updated. The third variable is hpasm - the HP insight agents. Turn them off and I get no logging entries.

Environment: RHEL4 update5 32bit on Proliant architecture DL360 G5
(regardless of model or intel vs amd chipsets)


The updated packages:
logwatch-5.2.2-2.EL4
logrotate-3.7.1-6.RHEL4
net-snmp-5.1.2-11.EL4.10
net-snmp-libs-5.1.2-11.EL4.10

The package versions from before this issue:
logwatch-5.2.2-1.EL4.1
logrotate-3.7.1-5.RHEL4
net-snmp-5.1.2-11.EL4.7
net-snmp-libs-5.1.2-11.EL4.7


8 REPLIES
Matti_Kurkela
Honored Contributor

Re: /var/log/messages fills with loopback

Too bad you did not include any examples from /var/log/messages.

Those messages might also be caused by the kernel, if you have Linux's built-in iptables firewall enabled.

To view the firewall rules, first adjust your terminal window to be about 200 characters wide, if possible: there may be very long lines.
Then run "iptables -L -v -n" as root.

When you install RHEL4 with default settings, it will automatically install a simple set of firewall rules. If you disable the firewall just by running "iptables -F", the disabling is not permanent: after a reboot, the firewall rules will be active again.

MK
MK
Antonio Del Pino
Occasional Visitor

Re: /var/log/messages fills with loopback

Matti,

Thanks for your response. I do not think the problem is the firewall or iptable, in fact, when i deactivates ( stop ) Hp agents 7.8/7.7/7.6 or when i downgrade from net-snmp version -5.1.2-11.EL4.10 to net-snmp-5.1.2-11.EL4.7, all work fine
Sorry, My english is not very good !!!
skt_skt
Honored Contributor

Re: /var/log/messages fills with loopback

i suspect you r missing the respective net-snmp-devel package.
Stuart Browne
Honored Contributor

Re: /var/log/messages fills with loopback

Nah, he's getting these:

Jun 12 20:10:05 logs snmpd[2217]: Connection from - 127.0.0.1
Jun 12 20:10:05 logs snmpd[2217]: transport socket = 15

(this is from one of my own servers).

These occur once you do the RH4 eratta updates for net-snmp (past 5.1.2-11.EL4.10 or so (I'm using EL4.11 here)).

It appears that the 'snmpd' has some debugging option left in (or '-a' permenantly turned on, regardless of presense on command line) which causes this. As the HP ASM stuff repeatedly polls SNMPD to get some of it's details, this populates the log file.

I haven't had the time to actually find the offending code in the snmpd source, as it's not really a big concern. I already rotate messages daily ;)
One long-haired git at your service...
Rick Beldin
Esteemed Contributor

Re: /var/log/messages fills with loopback

>It appears that the 'snmpd' has some debugging >option left in (or '-a' permenantly turned on, >regardless of presense on command line) which >causes this. As the HP ASM stuff repeatedly >polls SNMPD to get some of it's details, this >populates the log file.
Actually, this is on purpose.

RH fixed a defect where logging would NEVER happen.

The change was introduced in net-snmp-5.1.2-libwrap3.patch, which as
new with net-snmp 5.1.2-11.EL4.10.

Red Hat looked into the issue and the change was implemented
in order to correct a problem where the messages were not
logged, but should have been.

If we look at the man page for snmpd:

-a Log the source addresses of incoming requests.

The change that was made was to enable this option, which
was broken before. This was done to ensure that snmpd
behaved as it was documented to do.

Workarounds:

- create /etc/sysconfig/snmpd.options and change options as
suitable for the customer's site. An example that prevents the
messages is:

OPTIONS="-LS e d -Lf /dev/null -p /var/run/snmpd.pid -a"

- modify /etc/syslog.conf to change where snmpd logs and
to what level the logging will occur

The code is this:

This code is introduced in
the patch net-snmp-5.1.2-libwrap3.patch:

if (fcolon_ptr != NULL) fcolon_ptr++;
else fcolon_ptr = wrap_addr;
if (hosts_ctl("snmpd", STRING_UNKNOWN, fcolon_ptr,
STRING_UNKNOWN)) {
snmp_log(allow_severity, "Connection from - %s\n",
addr_string);
snmp_log(allow_severity, "transport socket = %d\n",
transport->sock);
} else {
snmp_log(deny_severity, "Connection from %s REFUSED\n",
addr_string);
free(wrap_addr);
SNMP_FREE(addr_string);
return 0;
}

If you redirect all the snmpd output to /var/log/snmpd.log and modify /etc/logrotate.d/snmpd you can rotate the logs on a regular basis - perhaps on some small size.
Necessary questions: Why? What? How? When?
Stuart Browne
Honored Contributor

Re: /var/log/messages fills with loopback

Rick, sorta right. The purpose of '-a' is to log these messages. But if you do not *use* '-a', then it shouldn't be logging them. That's what's occuring here.
One long-haired git at your service...
Antonio Del Pino
Occasional Visitor

Re: /var/log/messages fills with loopback

Thanks Guys for your help.
I have found this workauround:
1 Open file etc/init.d/snmpd
2 Find line 18:
OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
3 replace by:
OPTIONS="-LS 4 d -p /var/run/snmpd -a"

It works fine !!!
skt_skt
Honored Contributor

Re: /var/log/messages fills with loopback

Good News