From owner-freebsd-questions  Fri Jul 31 19:03:54 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA13366
          for freebsd-questions-outgoing; Fri, 31 Jul 1998 19:03:54 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from free1.cetinc.com ([206.240.124.40])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13361
          for <freebsd-questions@FreeBSD.ORG>; Fri, 31 Jul 1998 19:03:52 -0700 (PDT)
          (envelope-from brian@free1.cetinc.com)
Received: (from brian@localhost)
	by free1.cetinc.com (8.8.8/8.8.8) id WAA16594;
	Fri, 31 Jul 1998 22:06:25 GMT
	(envelope-from brian)
Date: Fri, 31 Jul 1998 22:06:25 GMT
From: Brian Neal <brian@free1.cetinc.com>
Message-Id: <199807312206.WAA16594@free1.cetinc.com>
To: brian@free1.cetinc.com, dwhite@resnet.uoregon.edu
Subject: Re: Logfile question
Cc: freebsd-questions@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.00.9807311416190.14321-100000@resnet.uoregon.edu>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> From dwhite@resnet.uoregon.edu Fri Jul 31 17:19:52 1998
> Date: Fri, 31 Jul 1998 14:16:57 -0700 (PDT)
> From: Doug White <dwhite@resnet.uoregon.edu>
> To: Brian Neal <brian@free1.cetinc.com>
> cc: freebsd-questions@FreeBSD.ORG
> Subject: Re: Logfile question
>
>
> On Thu, 30 Jul 1998, Brian Neal wrote:
>
> > I have a question regarding logfile rotation and removal.  Specifically, my
> > messages and ftpd files have disappeared.  This is 2.2.6-STABLE.  I was
> > wondering if they would be deleted to free up space?  There was an incident
> > on this machine a few days ago, someone got ahold of a username and password
> > and got into the system via ftp.  This individual did not, however, have
> > permissions necessary to delete any of these files, however, since I have no
> > logs, I can't tell what did happen.  If this individual used some kind of
> > password dictionary to get in (obviously generating a very large amount of
> > unsuccessfull login attempts), could the messages log have been deleted to
> > conserve space?
>
> They could have been rolled (they'd be in /var/log/messages.?.gz) and for
> some reason newsyslog couldn't touch /var/log/messages then restart
> syslogd to get things flowing again.
>
>
> Doug White                              | University of Oregon  
> Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
> http://gladstone.uoregon.edu/~dwhite    | Computer Science Major
>
>

I've restarted syslogd, but all the gzipped files were gone too...

-brian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message