HPE Community
Operating System - HP-UX
1834125 Members
2488 Online
110064 Solutions
New Discussion

non syslog activity...

 
SOLVED
Go to solution
James Ellis_1
Super Advisor

‎01-07-2004 06:46 AM

‎01-07-2004 06:46 AM

non syslog activity...

I noticed the syslog.log file was not showing any activity since two days ago. Did a ps-ef | grep syslog and nothing comes up so I restarted the log file. However, there still was not any activity when I tried to ftp to the server. I checked the /etc/syslog.conf file and noticed everything was missing but the

*.info /usr/uni/opr/config/servername/oprpipe0130

I think I need to get the original configuration in there. Can I ftp it from another HP server to this HP server?

Not sure how it got corrupted, but unicenter was restarted at the time and the syslog file shows uni logging activity stoped at the time uni was shutting down.

Anyway, I wanted to know if it is ok to ftp the syslog.conf from another server to this server, and then restart the syslogd?

Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
14 REPLIES 14
Pete Randall
Outstanding Contributor

‎01-07-2004 06:50 AM

‎01-07-2004 06:50 AM

Re: non syslog activity...

James,

I would say it should be fine to copy it from another server. The only exception would be if you had previously done any customizing of it. The ideal solution would be to restore from backup but any way you can get it back is what matters.


Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-07-2004 06:51 AM

‎01-07-2004 06:51 AM

Re: non syslog activity...

James,

Oh - and you'll probably need to restart the syslogd.


Pete

Pete
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-07-2004 06:52 AM

‎01-07-2004 06:52 AM

Re: non syslog activity...

James,

To make syslogd, re-read its configuration file, send it a HANGUP
signal:

kill -HUP `cat /var/run/syslog.pid`

Pete

Pete
0 Kudos
Reply
Marco Santerre
Honored Contributor

‎01-07-2004 06:52 AM

‎01-07-2004 06:52 AM

Re: non syslog activity...

I think that ftp'ing from another server should be fine. The only question I would have is "How did that config got changed?" But, the first thing I would do is definitely fix it. Then find out what happened.
Cooperation is doing with a smile what you have to do anyhow.
0 Kudos
Reply
Dave Hutton
Honored Contributor

‎01-07-2004 06:54 AM

‎01-07-2004 06:54 AM

Re: non syslog activity...

Like Pete said, I wouldn't think it would be a problem. There should be an original file at:
/usr/newconfig/etc/syslog.conf
That you could stick in the place. We've looked at customizing ours to funnel a few routers syslog type messages to a server so we can monitor with ITO/NNM.
0 Kudos
Reply
James Ellis_1
Super Advisor

‎01-07-2004 06:58 AM

‎01-07-2004 06:58 AM

Re: non syslog activity...

Pete,

I don't think there was any customizations done because we got two identical servers and they should be configured the same as much as possible. The only difference I can see is the last line showing:

/usr/uni/opr/config/server1/pipe/oprpipe0001
(from the problem server)

to

/usr/uni/opr/config/server2/pipe/oprpipe0130
(good working server)

What does the last digits of these two lines mean? Should I preserve the last digits from the problem server?

Thanks.

"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
James Ellis_1
Super Advisor

‎01-07-2004 07:24 AM

‎01-07-2004 07:24 AM

Re: non syslog activity...

Marco,

Here is a post of the last portion of syslog:
-------------------------------
Jan 5 10:03:40 hserv syslog: .SCTY_E_999 Evaluator PID #20292;

exiting for restart.

Jan 5 10:03:40 hserv syslog: .SCTY_I_999 Evaluator PID #20290;

normal shutdown.

Jan 5 10:03:40 hserv syslog: .SCTY_I_999 Evaluator PID #20291;

normal shutdown.

Jan 5 10:03:40 hserv vmunix: CAIENF_S_0181 10:03:40.267 SSF

shutdown successful

Jan 5 10:03:40 hserv username: unishutdown: attempting to shut down

Unicenter TNG 'star' component...

Jan 5 10:03:42 hserv username: unishutdown: attempting to shut down

Unicenter TNG 'emsrvc' component...

Jan 5 10:03:58 hserv username: unishutdown: attempting to shut down

Unicenter TNG 'cal' component...

Jan 5 10:04:00 hserv username: unishutdown: attempting to shut down

Unicenter TNG 'crit' component...

Jan 5 10:04:02 hserv username: unishutdown: attempting to shut down

Unicenter TNG 'opr' component...

Jan 5 10:04:03 hserv vmunix:
-------------------------

As you can see, it stopped at vmunix...


Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
James Ellis_1
Super Advisor

‎01-07-2004 07:31 AM

‎01-07-2004 07:31 AM

Re: non syslog activity...

Dave,

As for sticking the /usr/newconfig/etc/syslog.conf to /etc/syslog.conf...I noticed at another server, these two files were not the same size?

Also, at the problem server, the /usr/newconfig/etc/syslog.conf does not have the last line, /usr/uni/opr/config/server/pipe/oprpipe001 like the corrupt file does.

It appears that the /usr/newconfig/etc/syslog.conf file is from when the system reinitializes, and the last line was added by the unicenter admin?

Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
Dave Hutton
Honored Contributor

‎01-07-2004 07:45 AM

‎01-07-2004 07:45 AM

Re: non syslog activity...

It does look like you have some customizations. The one I was pointing to would be like you suggested. As a new install.

Dave
0 Kudos
Reply
James Ellis_1
Super Advisor

‎01-07-2004 08:42 AM

‎01-07-2004 08:42 AM

Re: non syslog activity...

I am not able to kill the syslog PID. From ls -al | grep syslog, I get the PID of 2344. I try to kill it by executing this command kill -HUP 2344. This PID still shows up when I do an ls. Why cannot I kill it?

Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-07-2004 03:31 PM

‎01-07-2004 03:31 PM

Solution

Re: non syslog activity...

syslogd is hung so normal kills aren't being seen. Try a kill -3 which will produce a small core dump. The restart syslogd manually. The /usr/newconfig directory contains all the original files before any modifications. The *.info line simply says: take all messages with importance level 'info' and higher, and write them to the long-path/file_name. If the filename refers to a pipe, then only the process that reads from the pipe know what becomes of the data.


Bill Hassell, sysadmin
Reply
James Ellis_1
Super Advisor

‎01-08-2004 02:35 AM

‎01-08-2004 02:35 AM

Re: non syslog activity...

Hi Bill,

Thanks for the help. I tried what you suggest, kill -3 PID, and it is still hung up. I know its hung but forgot how to kill a process short of rebooting the server.

I'd hate to reboot the server as I would have to kick everyone off.

Any other ideas to get around the hung up process state?

Thanks.
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎01-08-2004 03:00 AM

‎01-08-2004 03:00 AM

Re: non syslog activity...

James as a last resort kill -9 is your only option... although I would also try -15 and -18 first...

Then just kill it wiht -9 and restart this way...

/usr/sbin/syslogd -D
Unix, the other white meat.
Reply
James Ellis_1
Super Advisor

‎01-08-2004 08:37 AM

‎01-08-2004 08:37 AM

Re: non syslog activity...

the kill -15 PID did the trick. Thanks for your help, now I got syslog activity!
"In the middle of difficulty lies opportunity" -Einstein
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.