From owner-freebsd-security@FreeBSD.ORG Sat Dec 11 00:49:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8021D16A4CE for ; Sat, 11 Dec 2004 00:49:43 +0000 (GMT) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C47243D39 for ; Sat, 11 Dec 2004 00:49:41 +0000 (GMT) (envelope-from randall@ucsb.edu) Received: from casino.isber.ucsb.edu ([128.111.147.11]) by isber.ucsb.edu with esmtp (TLSv1:RC4-MD5:128) (Exim 3.36 #2) id 1CcvS1-000HJV-00; Fri, 10 Dec 2004 16:49:33 -0800 Message-ID: <41BA4424.7040201@ucsb.edu> Date: Fri, 10 Dec 2004 16:49:40 -0800 From: randall ehren User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bob Ababurko References: <41BA3DD6.5040702@adelphia.net> In-Reply-To: <41BA3DD6.5040702@adelphia.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan *1CcvS1-000HJV-00*UZiy/2Srxqs* (ISBER - Institute for Social, Behavioral, and Economic Research) cc: freebsd-security@freebsd.org Subject: Re: way to duplicate logs? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 00:49:43 -0000 > I am bit confused here. I have just had some issues with my box and I > am looking for some opinions. I just had been denied access to my > box...supposedly from a memory shortage in reference to my NIC....more > specifically, mbuf clusters exhausted. Now I am looking in my > /var/log/messages for when this started and I notice a discrepancy in my > logs. Now from where I am looking, I see time in the logs go backwards. > You can see it as soon as the box is rebooted. Is there an explanation > for this? it could be that your BIOS time is conflicting with freebsd's - during your install did you select "YES" for "Does your BIOS keep track of time?" or whatever the question is... > The date on the box should not have changed during that reboot, as it > was in sync with ntp and still is. are you sure ntp is running? to check: root@box[~]% \ps -waux | grep ntp > Also, is there a way to make more than one copy of these logs?....I am > not sure how this is set up and but I would like to possibly have > another set of logs in place so if someone is editing them, I can catch > it. I know there is a chance that I may be overreacting., but just in > case I want to know. you can setup another machine to receive logs: http://isber.ucsb.edu/~randall/instructions/loghost/ or just % man 5 syslog.conf -randall -- randall s. ehren :// 805.893.5632 systems administrator :// isber.ucsb.edu institute for social, behavioral, and economic research