From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 00:22:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E647C16A4CE for ; Sat, 11 Dec 2004 00:22:54 +0000 (GMT) Received: from dreadlock.phreakout.net (dreadlock.phreakout.net [12.45.16.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 7527A43D1D for ; Sat, 11 Dec 2004 00:22:54 +0000 (GMT) (envelope-from ababurko@adelphia.net) Received: (qmail 31924 invoked from network); 11 Dec 2004 00:26:13 -0000 Received: from 24-52-224-96.kntnny.adelphia.net (HELO ?192.168.102.100?) (24.52.224.96) by dreadlock.phreakout.net with SMTP; 11 Dec 2004 00:26:13 -0000 Message-ID: <41BA3DD6.5040702@adelphia.net> Date: Fri, 10 Dec 2004 19:22:46 -0500 From: Bob Ababurko User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: way to duplicate logs? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 00:22:55 -0000 Hello- I am bit confused here. I have just had some issues with my box and I am looking for some opinions. I just had been denied access to my box...supposedly from a memory shortage in reference to my NIC....more specifically, mbuf clusters exhausted. Now I am looking in my /var/log/messages for when this started and I notice a discrepancy in my logs. Now from where I am looking, I see time in the logs go backwards. You can see it as soon as the box is rebooted. Is there an explanation for this? bash-2.05b# tail -200 /var/log/messages Dec 7 19:01:03 additional su: bob to root on /dev/ttyp0 Dec 8 10:19:35 additional su: bob to root on /dev/ttyp1 Dec 8 18:09:24 additional su: BAD SU bob to root on /dev/ttyp0 Dec 8 18:09:29 additional su: bob to root on /dev/ttyp0 Dec 10 17:36:45 additional /kernel: All mbuf clusters exhausted, please see tuning(7). Dec 10 17:37:16 additional last message repeated 31 times Dec 10 17:39:17 additional last message repeated 121 times Dec 10 17:49:18 additional last message repeated 575 times Dec 10 17:59:19 additional last message repeated 545 times Dec 10 14:08:10 additional /kernel: Copyright (c) 1992-2003 The FreeBSD Project. Dec 10 14:08:10 additional /kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Dec 10 14:08:10 additional /kernel: The Regents of the University of California. All rights reserved. Dec 10 14:08:10 additional /kernel: FreeBSD 4.9-RELEASE #0: Tue Nov 30 01:20:25 AST 2004 The date on the box should not have changed during that reboot, as it was in sync with ntp and still is. Also, is there a way to make more than one copy of these logs?....I am not sure how this is set up and but I would like to possibly have another set of logs in place so if someone is editing them, I can catch it. I know there is a chance that I may be overreacting., but just in case I want to know. Thanks, Bob