From owner-freebsd-security Wed Aug 16 14: 9:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 47A6E37B71A for ; Wed, 16 Aug 2000 14:09:28 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id OAA06950 for ; Wed, 16 Aug 2000 14:08:55 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Wed, 16 Aug 2000 14:08:55 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: freebsd-security@FreeBSD.ORG Subject: Re: syslogd poll state In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I tried on -questions and didn't get any bites. Any ideas here?: (updated info: I increased my udp.recvspace via sysctl to overcome any possible overloads due to +250 servers spewing syslog data to it. That was not the problem and the poll state continues to occur. One thing I noticed is that when syslogd is in the "poll" state the following is listed in the output of sockstat: machinename# sockstat root syslogd 83 4 udp4 *.514 *.* root syslogd 83 6 udp4 x.x.x.x.271 x.x.x.x.53 ^^^^^^^ ^^^^^^^ machine IP nameserver IP I am wondering why syslogd would be attempting to do any type of lookups? Thanks. - Todd > > Greetings. > > Application: > > I am running a central syslog repository that logs +250 freebsd > servers. The syslog server is running 4.0-STABLE on good hardware (PII > 400, 256mb ram, Cheetah HD, adaptec 2940, Intel NIC). > > Issue: > > Syslog seems to die (enter poll state) at undetermined times. At first I > thought it was newsyslog related but I turned off newsyslog in cron and > the problem continues. Hupping syslogd has no effect and I must kill it > and restart to clear the poll state. I have searched the archives (pain in > the neck without having the ability to search by date :^P ) and have not > seen similar instances that have been answered. > > Question: > > Could some entry from one of my remote machines be killing syslogd? > (I have looked at the entries in /var/log/messages that correspond to the > times that cron dies/stops logging and nothing is out of the ordinary) > There are no other cronjobs that correspond to the times that syslog > stops... > > I would like to find out if anyone else has had this type of difficulty > before I rebuild the system/replace files/at script to grep for the poll > states, kill and restart syslogd... > > > Thanks in advance. > > - Todd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message