[logs] Error messages from syslogd
Justin Mitchell
jmitchell at secureworks.com
Wed Jul 11 12:42:26 PDT 2007
Regular expressions, experience, and research are priceless (w/ an emphasis on
regular expressions). Along with some luck and intuition, you will (or the
individual analzing will) be good to go. Honestly, simple as that.
On Wednesday 11 July 2007 15:13, Daniel Cid wrote:
> Hi Tina,
>
> In addition to the "restart" message, there is also
> the
> "exiting with signal X", when you kill it. Generally,
> in cases of rotation (on Debian at least), you should
> see the "exiting" followed by the restart, but if
> someone kills it directly, you will not:
>
>
> * Syslogd on OpenBSD (exiting and restarting):
>
> Dec 19 20:00:01 enigma syslogd: restart
> Dec 20 01:00:01 enigma syslogd: restart
> Dec 20 14:29:41 enigma syslogd: exiting on signal 15
>
>
> * Syslogd on Ubuntu (exiting and restarting):
>
> Dec 19 07:35:21 localhost exiting on signal 15
> Dec 19 16:49:31 localhost syslogd 1.4.1#17ubuntu3:
> restart.
>
>
> taken from ossec wiki:
> http://www.ossec.net/wiki/index.php/Syslogd
>
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> --- Tina Bird <tbird at precision-guesswork.com>
>
> escreveu:
> > > Depends on the type of syslog installed wouldn't
> >
> > it? As in Linux
> >
> > > syslog would have different error messages than
> >
> > Solaris or AIX or
> >
> > > Ultrix. My first action would be to look at the
> >
> > source code for the
> >
> > > open ones... and then do a strings on the non-open
> >
> > ones for some
> >
> > > guesses.
> > >
> > > Beyond that I do not have anything at the moment.
> >
> > Yep, they'll be system dependent. That's okay. I can
> > deal with it all by
> > system - it's just going on a big web page,
> > remember...
> >
> > I have received a number of responses along these
> > lines, obtained by
> > grepping the source code or by running strings on
> > the binary. These are far
> > better than nothing, and I'm grateful for the help,
> > but they miss an
> > important piece of the picture. Especially in a
> > piece of code as old and,
> > uh, crufty as syslogd, there's a high likelihood
> > that many of the errors
> > find themselves at the far ends of code paths that
> > rarely (if ever) get
> > executed, and therefore those errors never find
> > themselves in the "outside"
> > world, providing assistance (or confusion) to system
> > administrators
> > everywhere.
> >
> > Hence my interest in observational data.
> >
> > I did scrounge up one more error in my own testbed
> > after I sent my post last
> > night:
> >
> > Jun 18 03:05:00 <syslog.err> bettiepage syslogd:
> > sendto: Host is down
> >
> > which, when I thought about it, is the only error
> > message from syslogd that
> > I've *ever* seen. Obviously it's actionable,
> > although since this is a
> > vanilla syslogd running over UDP, I've never quite
> > figured out how it
> > manages to "know" that the remote host is
> > unavailable...
> >
> > cheers - tbird
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis at loganalysis.org
>
> ___________________________________________________________________________
>_________ Novo Yahoo! Cadê? - Experimente uma nova busca.
> http://yahoo.com.br/oqueeuganhocomisso
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
More information about the LogAnalysis
mailing list