[logs] Error messages from syslogd
Daniel Cid
danielcid at yahoo.com.br
Wed Jul 11 12:13:58 PDT 2007
Hi Tina,
In addition to the "restart" message, there is also
the
"exiting with signal X", when you kill it. Generally,
in cases of rotation (on Debian at least), you should
see the "exiting" followed by the restart, but if
someone kills it directly, you will not:
* Syslogd on OpenBSD (exiting and restarting):
Dec 19 20:00:01 enigma syslogd: restart
Dec 20 01:00:01 enigma syslogd: restart
Dec 20 14:29:41 enigma syslogd: exiting on signal 15
* Syslogd on Ubuntu (exiting and restarting):
Dec 19 07:35:21 localhost exiting on signal 15
Dec 19 16:49:31 localhost syslogd 1.4.1#17ubuntu3:
restart.
taken from ossec wiki:
http://www.ossec.net/wiki/index.php/Syslogd
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
--- Tina Bird <tbird at precision-guesswork.com>
escreveu:
>
> > Depends on the type of syslog installed wouldn't
> it? As in Linux
> > syslog would have different error messages than
> Solaris or AIX or
> > Ultrix. My first action would be to look at the
> source code for the
> > open ones... and then do a strings on the non-open
> ones for some
> > guesses.
> >
> > Beyond that I do not have anything at the moment.
>
> Yep, they'll be system dependent. That's okay. I can
> deal with it all by
> system - it's just going on a big web page,
> remember...
>
> I have received a number of responses along these
> lines, obtained by
> grepping the source code or by running strings on
> the binary. These are far
> better than nothing, and I'm grateful for the help,
> but they miss an
> important piece of the picture. Especially in a
> piece of code as old and,
> uh, crufty as syslogd, there's a high likelihood
> that many of the errors
> find themselves at the far ends of code paths that
> rarely (if ever) get
> executed, and therefore those errors never find
> themselves in the "outside"
> world, providing assistance (or confusion) to system
> administrators
> everywhere.
>
> Hence my interest in observational data.
>
> I did scrounge up one more error in my own testbed
> after I sent my post last
> night:
>
> Jun 18 03:05:00 <syslog.err> bettiepage syslogd:
> sendto: Host is down
>
> which, when I thought about it, is the only error
> message from syslogd that
> I've *ever* seen. Obviously it's actionable,
> although since this is a
> vanilla syslogd running over UDP, I've never quite
> figured out how it
> manages to "know" that the remote host is
> unavailable...
>
> cheers - tbird
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
____________________________________________________________________________________
Novo Yahoo! Cadê? - Experimente uma nova busca.
http://yahoo.com.br/oqueeuganhocomisso
More information about the LogAnalysis
mailing list