SUMMARY: syslogd doesn't

From: Roger Spaulding (ras@loveland.ramtron.com)
Date: Tue Apr 22 1997 - 10:57:31 CDT


        Okay good people,

        Here's my original post:

> Suddenly, without warning, syslogd stopped logging messages to
> /var/adm/messages*. This on a SPARC 10 running SunOS 4.1.4.
>
> As implied, this was working fine for several years, and suddenly
> stopped. Naturally I can't *recall* making any changes that hosed
> the daemon.
>
> syslogd is still running and the /etc/syslogc.conf file exists.
>
>-rw-r--r-- 1 root staff 1842 Dec 19 14:46 /etc/syslog.conf

        None of the suggestions helped, it wasn't a matter of spaces
        being substituted for tabs but thanks to all that responded,
        particularly those who suggested turning on logging.

        A personal THANKS! goes out to:
                Jim Coby
                Michael Kohne
                Alex Soares
                Keith Willenson
                Howard Lapin
                David Neal
                Glenn Satchell
                Don Ballard
                Alan Arolovitch
                Oscar Goldes
                Thomas Renzy
                David Stern

        Roger Spaulding
        Network System Administrator
        Ramtron International Corporation
        1850 Ramtron Drive
        Colorado Springs, CO 80921
        ras@ramtron.com

        "Keep your stick on the ice" -- Red Green

================== begin attached responses ====================================

Hi Roger,

  Have you tried a kill -HUP (pid of syslogd).

Sometimes if syslogd has trouble writing to the log file it goes off and pouts and stops
writing.Sometimes this will bring it back.

-- 
Jim Coby                      :Control Data Systems Inc.
-------------------------------------------------------------------------------
The last time I saw this, it was because the root partition had filled up.
Someone may have temporarily filled up your root partition with a big file
in tmp, which is now gone (thus deleting all traces of the problem). Try
sending a HUP to syslogd (just like you had changed the syslog.conf file).

I also recommend putting some kind of cheap PC as your console terminal, instead of the local screen or a dumb terminal. This is because with a PC and something like procomm you can scroll back in your console messages when syslog goes to hell.

Luck!

Michael Kohne ------------------------------------------------------------------------------- Verify if the /etc/syslog.conf have TAB character separating fields. I've had a similar problem a week ago. It turned out to be that one of our opeartors edited the file and during the save (I think) the editor (I don't know which) "transformed" every TAB character in spaces. According with 'man syslog.conf':

A configuration entry is composed of two TAB-separated fields:

"selector action"

I hope your problem is that simple to solve.

Cheers, -- Alex Soares ------------------------------------------------------------------------------- This happened to me, also quite mysteriously, about eight months ago. Reboots did not help. I also checked for some hacker breaking in. I could find nothing wrong and nothing in the archives. After about a week or so it just as mysteriously started working again. If you have any clue at all, please let me know.

Keith ------------------------------------------------------------------------------- I believe the problem is an ownership problem.....

try:

-rw-r--r-- 1 root sys 1842 Dec 19 14:46 /etc/syslog.conf ------------------------------------------------------------------------------- The last time I saw that happen, someone had broken in to the machine in question and replaced it with a packet sniffer.

Check the binary against another machine running the same os release, etc. If you see a difference you may wish to replace the executable. If that fixes the problem, consider the machine compromised and reload the os. ------------------------------------------------------------------------------- Have you got spaces in /etc/syslogd.conf when you must have tabs?

You'll have to think hard about all the changes that have been made to the system and trace them back to see if they have had any impact. Do you have loghost defined in your /etc/hosts, dns and/or nis[+] to point to the local machine?

regards, -- Glenn Satchell ------------------------------------------------------------------------------- Hi, Roger:

FWIW, I've been having the same problem from nearly day one, though running Solaris 2.5. syslogd continues to run, /etc/syslog.conf is intact, but nothing gets written to the logs - even using logger to force a message writes nothing to the logs...

I don't know all the fine points of SunOS 4xx, but on Solaris 2.5, there's a shell script , /usr/lib/newsyslog, that runs weekly from cron. It renames the old logfiles, and kills -HUP the syslogd. I replaced the kill -HUP with a full stop and restart of syslogd; i.e., /etc/init.d/syslogd stop /etc/init.d/syslogd start This seems to take care of the problem; it's more of a band-aid than a cure, but that's the business we're in sometimes.

I'd appreciate hearing anything else you find out about this one, if you'd be so kind as to summarize your responses to the list.

HTH.. ---- Don Ballard ------------------------------------------------------------------------------- try running syslogd in debug mode (syslogd -d) and in parallel logging some message by logger utility (say logger -p mail.debug "test") and see what follows. rgds, --alan -- Alan Arolovitch, SE ------------------------------------------------------------------------------- Hello, you dont say if rebooting solves the problem. Try to run truss (truss -p <syslog pid>) and see what is he doing. Are you sure you did not move/rename/recreated /var/adm/messages* ? This has happened to me when any of the files syslog writes to does not longer exist, or has been deleted and recreated with syslog running. You should kill and rerun syslog in such case. Aslo check the configuration file. (All this refers to solaris 2.5, I think it should apply also to SunOs) Good luck!

-- Oscar Goldes ------------------------------------------------------------------------------- I can tell you that our syslogd was dying consistently and we added a patch for it. Of course this was on Solaris 2.5 but maybe there might be a patch for it

Thomas Renzy ------------------------------------------------------------------------------- More importantly, what are its contents? is there a line with (facility.severity) (tabs) /var/adm/messages

Note that the whitespace MUST be tabs. To test it, try "logger mail.debug hello" This will send a messages to the facility mail.debug. If that facility is pointing to /var/adm/messages, it should append a line to that file with the word "hello".

=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=-=-= David Stern



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:51 CDT