[CentOS] Syslog

Sam Drinkard sam at wa4phy.net
Tue Jun 27 20:00:44 UTC 2006 


William L. Maltby wrote:
>
>> AFIK, the machine has not been compromised.  It's pretty well sealed off 
>> with the exception of myself and 2 other very trusted users. Not exposed 
>> even on port 80.  Named is really only caching, and I do know from past 
>> kills, it does write to /var/log/messages.  I'm very tempted to boot 
>> again and see if something shows up somewhere else, but one of my main 
>> jobs just started up and I hate to kill it off due to time constraints.
>>     
>
> Well, if you're not worried about a compromise under these
> circumstances... ;-)) I'd let your jobs finish and not sweat about it.
> You said you had plenty of disk space, did you "df -i" to see if you
> exhausted your i-nodes (unlikely, I know, but no assumptions are
> warranted now).
>
> Do you have quotas? Any chance they hit someone they weren't supposed to
> hit? Permissions on the directoy still as they should be?
>
> [wild-bill at wlmlfs08 ~]$ ls -dl /var/log
> drwxr-xr-x  22 root root 4096 Jun 25 04:02 /var/log
>
> As folks have mentioned in other threads, a chkrootkit run might be
> appropriate if you can't find the cause.
>   
There is no way this machine could be compromised from outside.  It just 
can't happen.  Plenty of i-nodes, plenty of disk space, no quotas, all 
the lock files are correct, directory perms are OK, file perms are OK, 
etc.  It may be time to reboot anyhow and see if it comes back, or if 
something pops up during the reboot -- hang the run -- I need the log 
files to make sure some other software is working, and it appears that 
the logging for it is bombed too, even tho it's got it's own logging 
facility, it does use syslog to write.  Have tried with and without it 
active, and no joy.

There's gotta be something strange.. now that I think about it, my daily 
log got really short sometime back, but don't remember exactly when.  I 
assumed it was due to stopping a lot of processes.  Hmmm.... someone 
tell me what processes besides syslog and dbus are required for it.. I 
may have stepped on my thingy myself!

More information about the CentOS mailing list