[Wftl-lug] lastlog and syslogd weirdness

Nelson Garcia garcian002 at hawaii.rr.com
Tue Mar 13 10:22:49 PST 2001 

I hope that my adventures help someone out there:

I might be on to something here.  I discovered last night that my
/var/log/news directory contained literally thousands of files, so many that
'ls' or 'rm' could not handle the number and I had to get very specific in
order to remove them.  It appears that the logrotate cron script that comes
out of the box in Mandrake 7.1 is broken somewhere.

The script is supposed to tar the previous day's log and add a number to it
up to a predetermined level (in my case 5).  All my other log directories
are OK, except /var/log/news, where I had files in the order of
"news.gz.1.gz.1.gz.1.gz.1.gz.1.........gz.5.gz", about 16 deep. 5 ^15 number
of files?  I thought I would run out of inodes with that many files.  Did I?
I don't know what the symptoms would be.

I spent a lot of time backing up and cleaning out my drive so I didn't get a
chance to dig into the script but I suspect that it may be spawning extra
syslogd's while it's running and if that depends on having the next day's
file ready, it may be creating a race condition when the number of files is
so huge. Just a theory.

The lastlog file got fixed after I removed the corrupted file and ran
lastlog (the executable).

If anyone has ever seen this sort of behavior, or if I'm out-to-lunch,
please set me straight.  After all, I have only been doing this Linux thing
for a year.

I feel better now since I did find something wrong and it seems like it
shouldn't be hard to fix.
Thanks everyone for your help.
Aloha,
Nelson

----- Original Message -----
From: "Nelson Garcia" <garcian002 at hawaii.rr.com>
To: "Linux & Unix Advocates & Users" <luau at maile.hi.net>
Sent: Monday, March 12, 2001 08:52 AM
Subject: [luau] RE: [Wftl-lug] lastlog and syslogd weirdness


> Jay, here's a recap:
> The problem is that on Sunday morning I noticed that my syslog contained
> hundreds of entries indicating 'restarting syslogd' and that my 'lastlog'
> file contained only garbage characters.  I killed a 'logrotate' process
that
> seemed to be running way too long and that fixed the spurrious syslog
> entries. I then 'rm' and 'touch lastlog' but it still continued to log
> garbage.
>
> I wrote the group wondering if this sequence of events sounded like a
known
> hack or if it was simply a corrupt file or some other anomaly that someone
> might have already experienced.  I mistakenly announced that only port 80
> should be open.
>
> You did the portscan showing ports 80 and 25 open, which in retrospect
> sounds right, and we are still pondering posibilities...
>
>
> ---
> You are currently subscribed to luau as: garcian002 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')

More information about the LUAU mailing list