Date: Sun, 16 May 2004 20:05:42 -0400 From: "Cyber Dog" <webmaster@cyberdogtech.com> To: <freebsd-questions@freebsd.org> Subject: RE: FreeBSD 4.7 Syslogs Message-ID: <20040517000626.C64E943D2F@mx1.FreeBSD.org> In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEEBFOAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, I guess we'll have to chalk this one up to forces of nature. I replaced the old syslog.conf with: ############################################ # $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 09:26:11 phk Exp $ # # Spaces are NOT valid field separators in this file. # Consult the syslog.conf(5) manpage. # Purchasing database syslog local7.notice /var/log/purchasing # Postgres syslog local0.* /var/log/postgres local2.* /var/log/qmail/smtpd.log local3.* /var/log/qmail/send local4.* /var/log/qmail/masterlog *.err;kern.debug;mail.crit /dev/console *.notice;kern.debug;lpr.info;mail.crit /var/log/messages authpriv.* /var/log/authpriv security.* /var/log/security mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log console.info /var/log/console.log ############################################ ...and low and behold the logs started working. As you said, it doesn't seem like it should have made a difference...but something changed. I still can't explain why it broke in the first place, but what's most important is that it started working again. Your explanation was extremely helpful, and I'm very appreciative. It's very admirable that you give of your time to help out complete strangers. If you have a PayPal account, I wouldn't mind sending over a little token of my appreciation. Thanks again, Matt -----Original Message----- From: JJB [mailto:Barbish3@adelphia.net] Sent: Saturday, May 15, 2004 10:42 PM To: Matt "Cyber Dog" LaPlante Subject: RE: FreeBSD 4.7 Syslogs Matt. You did not reboot system before you captured the requested data, but that is ok. I will write this reply in an teaching manner, so don't think I am talking down to you. The command ps ax displays all the tasks running on your system. 843 p0- S 0:00.03 syslogd -d 847 p0- I 0:00.03 syslogd -d 1214 p0- I 0:00.03 syslogd -dv from your posted data for ps ax display the above says you have 3 tasks running syslogd in debug mode. An reboot will get rid of this or you can kill the tasks by using the task number ie 843 for example. Enter on the command line killall 843 to kill that task then do ps ax to see that it's gone, then do same for the other 2 numbers 847 & 1214 *********************************************** Now lets cover how syslogs are defined and the control of auto rotate. This is very poorly described in man syslog and man newsyslog. The command man is the command for display to console the manual. So man newsyslog would display to the console screen the manual documentation for the newsyslog command. Be for warned the man documentation is very poorly written and conveys very little useful info. I will focus on the messages log file as an example to explain what is happening, but same process applies to all log files defined in /ect/syslog.conf. In FBSD all messages to syslog uses 2 elements to define the message, the facility and message level. In syslog.conf the left side on the line is the facility.level. The level describes the severity of the message, and is a keyword from the following ordered list (higher to lower): emerg, alert, crit, err, warning, notice, info and debug. Coding *.notice means all messages emerg through notice. With that info, looking at your syslog.conf it is obvious there are coding problems with some of the files, but nothing that would cause an log file not to work. As general rule messages file is reserved for FBSD system messages not application messages which have their own log files. Local0 and local7 should not be going to messages file as they have their own log files. !local0.*;!local7.*;*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages this should be re-written as *.notice;kern.debug;lpr.info;mail.crit /var/log/messages !local0.*;*.err;kern.debug;auth.notice;mail.crit /dev/console !local0.*;*.notice;news.err /dev/console !local0.*;*.alert /dev/console This is an real mess, should be re-written as *.err;kern.debug;mail.crit /dev/console I did not see an news group server enabled in rc.conf so news.err is not necessary. You will only see these console messages when you are logged in as root, they are not saved in between logins. This local7.crit;local7.err;local7.notice /var/log/purchasing should be this local7.notice /var/log/purchasing as all the higher message levers are included, does the same thing as the original statement ******************************************************************** ***** The newsyslog.conf holds the trigger definition which says under what conditions the log is to be rotated. When a log is rotated the last log, say log.3 is deleted, the log.2 is renamed to log3, log1 is renamed to log.2, log.0 becomes log.1 and log becomes log.0 and then an new log file is created and an -hup signal command is issued so application will start writing to new log file. Looking at newsyslog.conf we see that messages file is triggered to rotate when the message file size is larger that 100k. /var/log/messages 600 5 100 * Z How the process works is like this. cron is an scheduling application. /etc/crontab contains an statement that says that at the top of ever hour run the newsyslog command. # rotate log files every hour, if necessary 0 * * * * root newsyslog The newsyslog command reads the newsyslog.conf file looking for each file trigger. It finds that the messages log trigger is 100 K and it checks the size of the messages file, if greater than 100k it gets rotated and the file names are rolled as I said above. Lets look at your messages files -rw------- 1 root wheel 61 May 12 15:36 /var/log/messages -rw-r-x--- 1 root wheel 94 May 12 15:36 /var/log/messages.0.gz -rw------- 1 root wheel 6944 May 7 2003 /var/log/messages.1.gz -rw------- 1 root wheel 6699 May 4 2003 /var/log/messages.2.gz -rw------- 1 root wheel 8964 May 1 2003 /var/log/messages.3.gz -rw------- 1 root wheel 9271 Apr 26 2003 /var/log/messages.4.gz -rw------- 1 root wheel 10329 Apr 18 2003 /var/log/messages.5.gz First thing is the rotated files are compressed, that is what .gz means. This is defined in newsyslog.conf file and can be changed in that conf file. The number to the left of the date is the file size. You see the messages file size is 61 bites. That probably is just one line message. To me that says that every thing is working. You must keep in mind that error messages are not suppose to happen, so this log may go days with out growing at all. Just look at the dates of the rotated logs. It takes some time to fill the log up to 100k before it rotates. The messages.0.gz file is small because you manually forced it to rotate by issuing the newsyslog command. Final summary. Other than those syslogd tasks you have running that need to be killed, and some house keeping cleanup in the syslog.conf file your system looks ok to me. As part of the cron scheduling system there are pre caned management daily, weekly and monthly reports that are emailed to root by default. You should look for those reports as one of then scans the messages log for error messages to notify you about. They may be going to the old sysadmin email address. Look for them. If when you log on as root you see an message 'you have mail" or something like that. Enter mail on the command line, pressing the enter key will scroll you through the email messages. When you get eof message, enter d * to delete all viewed email, then enter quit to exit the mail client program and return to the root command line. I see you an Nic card xl0 on system but I can not tell how you are connected to the internet, but that is out of the scope of what we are covering here, for it working. I thing your original post about your logs not working was just you not understanding how things are suppose to work and that no growth or very little growth in the messages file is really an good thing. I hope this helps you out in learning FreeBSD. I have an Freebsd installer guide for the newbe which covers all the basics. You may find it useful in coming up to speed. Check out www.a1poweruser.com for details and an demo. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Matt "Cyber Dog" LaPlante Sent: Saturday, May 15, 2004 4:39 PM To: freebsd-questions@FreeBSD.org Subject: RE: FreeBSD 4.7 Syslogs ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /etc/syslog.conf: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 09:26:11 phk Exp $ # # Spaces are NOT valid field separators in this file. # Consult the syslog.conf(5) manpage. # Purchasing database syslog local7.crit;local7.err;local7.notice /var/log/purchasing # Postgres syslog local0.* /var/log/postgres local2.* /var/log/qmail/smtpd.log local3.* /var/log/qmail/send local4.* /var/log/qmail/masterlog !local0.*;*.err;kern.debug;auth.notice;mail.crit /dev/console !local0.*;!local7.*;*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages authpriv.* /var/log/authpriv security.* /var/log/security mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron !local0.*;*.notice;news.err /dev/console !local0.*;*.alert /dev/console *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log console.info /var/log/console.log ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /etc/newsylog.conf: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # configuration file for newsyslog # $FreeBSD: src/etc/newsyslog.conf,v 1.25.2.8 2001/12/14 11:50:42 rwatson Exp $ # # Note: some sites will want to select more restrictive protections than the # defaults. In particular, it may be desirable to switch many of the 644 # entries to 640 or 600. For example, some sites will consider the # contents of maillog, messages, and lpd-errs to be confidential. In the # future, these defaults may change to more conservative ones. # # logfilename [owner:group] mode count size when [ZJB] [/pid_file] [sig_num] /var/log/cron 600 3 100 * Z /var/log/amd.log 644 7 100 * Z /var/log/kerberos.log 600 7 100 * Z /var/log/lpd-errs 640 7 100 * Z /var/log/maillog 600 14 * @T00 Z /var/log/sendmail.st 640 10 * 168 B /var/log/messages 600 5 100 * Z /var/log/all.log 600 7 * @T00 Z /var/log/slip.log 600 3 100 * Z /var/log/ppp.log 600 3 100 * Z /var/log/security 600 10 100 * Z /var/log/wtmp 644 3 * @01T05 B /var/log/daily.log 640 7 * @T00 Z /var/log/weekly.log 640 5 1 $W6D0 Z /var/log/monthly.log 640 12 * $M1D0 Z /var/log/console.log 600 5 100 * Z # This is all custom stuff /var/log/postgres 600 50 250 * Z /var/log/log.nmbd 600 50 250 * Z /var/log/log.smbd 600 50 250 * Z #/var/log/uvscan 600 50 250 * Z /var/log/qmail/current 600 100 250 * Z /var/log/qmail/smtpd/current 600 100 250 * Z /var/log/local_rsync 600 10 500 * Z /var/log/purchasing 600 50 500 * Z ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ls -l /var/log/*: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -rw-r-x--- 1 root wheel 695 Jul 9 2002 /var/log/3w-aenlog.txt -rw-r-x--- 1 root wheel 647 Jan 29 2003 /var/log/adduser -rw-r-x--- 1 root wheel 484877 May 7 2003 /var/log/authpriv -rw------- 1 root wheel 61 May 12 15:37 /var/log/console.log -rw-r-x--- 1 root wheel 5751 May 12 15:37 /var/log/console.log.0.gz -rw------- 1 root wheel 4612 May 6 2003 /var/log/console.log.1.gz -rw------- 1 root wheel 7955 May 6 2003 /var/log/console.log.2.gz -rw------- 1 root wheel 4710 May 4 2003 /var/log/console.log.3.gz -rw------- 1 root wheel 8716 May 3 2003 /var/log/console.log.4.gz -rw------- 1 root wheel 9406 May 1 2003 /var/log/console.log.5.gz -rw------- 1 root wheel 61 May 12 15:36 /var/log/cron -rw-r-x--- 1 root wheel 5039 May 12 15:36 /var/log/cron.0.gz -rw------- 1 root wheel 6921 May 6 2003 /var/log/cron.1.gz -rw------- 1 root wheel 6738 May 4 2003 /var/log/cron.2.gz -rw------- 1 root wheel 6829 May 3 2003 /var/log/cron.3.gz -rw------- 1 root wheel 31335 May 15 03:06 /var/log/dmesg.today -rw------- 1 root wheel 31335 May 14 03:06 /var/log/dmesg.yesterday lrwxr-xr-x 1 root wheel 22 May 1 2002 /var/log/httpd -> /usr/local/apache/logs -rw-r-x--- 1 root wheel 1635786 May 15 13:08 /var/log/kavscan.rpt -rw-r-x--- 1 root wheel 31080 May 15 16:18 /var/log/lastlog -rw------- 1 root wheel 61 May 12 15:38 /var/log/local_rsync -rw-r-x--- 1 root wheel 38054 May 12 15:38 /var/log/local_rsync.0.gz -rw------- 1 root wheel 201766 Jun 12 2002 /var/log/local_rsync.1.gz -rw------- 1 root wheel 365750 Jun 8 2002 /var/log/local_rsync.10.gz -rw------- 1 root wheel 453883 Jun 11 2002 /var/log/local_rsync.2.gz -rw------- 1 root wheel 188191 Jun 11 2002 /var/log/local_rsync.3.gz -rw------- 1 root wheel 206870 Jun 11 2002 /var/log/local_rsync.4.gz -rw------- 1 root wheel 452912 Jun 10 2002 /var/log/local_rsync.5.gz -rw------- 1 root wheel 194575 Jun 10 2002 /var/log/local_rsync.6.gz -rw------- 1 root wheel 204531 Jun 10 2002 /var/log/local_rsync.7.gz -rw------- 1 root wheel 448883 Jun 9 2002 /var/log/local_rsync.8.gz -rw------- 1 root wheel 224066 Jun 9 2002 /var/log/local_rsync.9.gz -rw-r-x--- 1 root wheel 0 Apr 24 2002 /var/log/log.cicero -rw------- 1 root wheel 7709 May 15 13:08 /var/log/log.nmbd -rw-r-x--- 1 root wheel 7532 May 12 15:37 /var/log/log.nmbd.0.gz -rw------- 1 root wheel 12238 May 17 2002 /var/log/log.nmbd.1.gz -rw------- 1 root wheel 472 May 15 13:08 /var/log/log.smbd -rw-r-x--- 1 root wheel 8990 May 12 15:37 /var/log/log.smbd.0.gz -rw------- 1 root wheel 35534 May 18 2002 /var/log/log.smbd.1.gz -rw------- 1 root wheel 38962 May 17 2002 /var/log/log.smbd.10.gz -rw------- 1 root wheel 77573 May 17 2002 /var/log/log.smbd.11.gz -rw------- 1 root wheel 61362 May 18 2002 /var/log/log.smbd.2.gz -rw------- 1 root wheel 97363 May 18 2002 /var/log/log.smbd.3.gz -rw------- 1 root wheel 142495 May 18 2002 /var/log/log.smbd.4.gz -rw------- 1 root wheel 8288 May 18 2002 /var/log/log.smbd.5.gz -rw------- 1 root wheel 11058 May 18 2002 /var/log/log.smbd.6.gz -rw------- 1 root wheel 18904 May 18 2002 /var/log/log.smbd.7.gz -rw------- 1 root wheel 66004 May 17 2002 /var/log/log.smbd.8.gz -rw------- 1 root wheel 73041 May 17 2002 /var/log/log.smbd.9.gz -rw-r----- 1 root wheel 61 May 12 15:36 /var/log/lpd-errs -rw-r-x--- 1 root wheel 89 May 12 15:36 /var/log/lpd-errs.0.gz -rw------- 1 root wheel 63 May 15 00:00 /var/log/maillog -rw------- 1 root wheel 101 May 15 00:00 /var/log/maillog.0.gz -rw------- 1 root wheel 100 May 14 00:00 /var/log/maillog.1.gz -rw------- 1 root wheel 101 May 6 00:00 /var/log/maillog.10.gz -rw------- 1 root wheel 101 May 5 00:00 /var/log/maillog.11.gz -rw------- 1 root wheel 100 May 4 00:00 /var/log/maillog.12.gz -rw------- 1 root wheel 100 May 3 00:00 /var/log/maillog.13.gz -rw------- 1 root wheel 101 May 2 00:00 /var/log/maillog.14.gz -rw------- 1 root wheel 106 May 13 00:00 /var/log/maillog.2.gz -rw------- 1 root wheel 106 May 12 15:36 /var/log/maillog.3.gz -rw------- 1 root wheel 101 May 12 00:00 /var/log/maillog.4.gz -rw------- 1 root wheel 100 May 11 00:00 /var/log/maillog.5.gz -rw------- 1 root wheel 102 May 10 00:00 /var/log/maillog.6.gz -rw------- 1 root wheel 101 May 9 00:00 /var/log/maillog.7.gz -rw------- 1 root wheel 105 May 8 00:00 /var/log/maillog.8.gz -rw------- 1 root wheel 104 May 7 00:00 /var/log/maillog.9.gz -rw------- 1 root wheel 61 May 12 15:36 /var/log/messages -rw-r-x--- 1 root wheel 94 May 12 15:36 /var/log/messages.0.gz -rw------- 1 root wheel 6944 May 7 2003 /var/log/messages.1.gz -rw------- 1 root wheel 6699 May 4 2003 /var/log/messages.2.gz -rw------- 1 root wheel 8964 May 1 2003 /var/log/messages.3.gz -rw------- 1 root wheel 9271 Apr 26 2003 /var/log/messages.4.gz -rw------- 1 root wheel 10329 Apr 18 2003 /var/log/messages.5.gz -rw------- 1 root wheel 204 Nov 15 2003 /var/log/mount.today -rw------- 1 root wheel 271 Oct 23 2003 /var/log/mount.yesterday -rw------- 1 root wheel 7689 May 15 13:08 /var/log/postgres -rw------- 1 root wheel 13895 May 12 15:37 /var/log/postgres.0.gz -rw------- 1 root wheel 16999 Mar 5 02:00 /var/log/postgres.1.gz -rw------- 1 root wheel 19535 Jan 12 10:00 /var/log/postgres.2.gz -rw------- 1 root wheel 18334 Oct 28 2003 /var/log/postgres.3.gz -rw------- 1 root wheel 18375 Jun 18 2003 /var/log/postgres.5.gz -rw------- 1 root wheel 18452 Apr 15 2003 /var/log/postgres.6.gz -rw------- 1 root wheel 20339 Mar 13 2003 /var/log/postgres.7.gz -rw------- 1 root wheel 21319 Dec 30 2002 /var/log/postgres.8.gz -rw------- 1 root wheel 27132 Nov 20 2002 /var/log/postgres.9.gz -rw------- 1 root wheel 61 May 12 15:37 /var/log/ppp.log -rw-r-x--- 1 root wheel 88 May 12 15:37 /var/log/ppp.log.0.gz -rw------- 1 root wheel 61 May 12 15:38 /var/log/purchasing -rw-r-x--- 1 root wheel 656 May 12 15:38 /var/log/purchasing.0.gz -rw-r-x--- 1 root wheel 26683 May 12 14:09 /var/log/pw -rw------- 1 root wheel 61 May 12 15:37 /var/log/security -rw-r-x--- 1 root wheel 89 May 12 15:37 /var/log/security.0.gz -rw------- 1 root wheel 14330 May 15 03:06 /var/log/setuid.today -rw------- 1 root wheel 14330 May 14 03:06 /var/log/setuid.yesterday -rw------- 1 root wheel 61 May 12 15:36 /var/log/slip.log -rw-r-x--- 1 root wheel 89 May 12 15:36 /var/log/slip.log.0.gz -rw-r-x--- 1 root wheel 0 May 29 2002 /var/log/tivoli.log -rw-r-x--- 1 root wheel 360 Apr 10 2002 /var/log/userlog -rw-r-x--- 1 root wheel 2805 May 29 2002 /var/log/uvscan -rw-r--r-- 1 root wheel 2244 May 15 16:18 /var/log/wtmp -rw-r--r-- 1 root wheel 2024 May 12 15:30 /var/log/wtmp.0 -rw-r--r-- 1 root wheel 5456 Apr 30 13:52 /var/log/wtmp.1 -rw-r--r-- 1 root wheel 7436 Mar 29 00:34 /var/log/wtmp.2 -rw-r--r-- 1 root wheel 5412 Feb 27 12:53 /var/log/wtmp.3 -rw-r-x--- 1 root wheel 348720 Apr 29 18:32 /var/log/xferlog - 843 p0- S 0:00.03 syslogd -d 847 p0- I 0:00.03 syslogd -d 1214 p0- I 0:00.03 syslogd -dv
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040517000626.C64E943D2F>