Re: Very strange syslogd behavior

From: Martin Schulze (joey@infodrom.org)
Date: Mon Jan 26 2004 - 22:28:14 CET


Ross Vandegrift wrote:
> I've started seeing some very weird syslogd behavior recently.
> We use a central syslog server to host the log messages for all of our
> machines. There are probably a dozen or so Debian 3.0 servers logging
> to the loghost (which is also running Debian), and maybe half a dozen
> printers.
>
> We recently installed a new VPN server. Everything was fine
> with logging, until messages suddenly stopped showing up in the logs.
> No configurations were changed, no firewalls installed, nothing. The
> last message from the VPN server is dated Jan 25, 23:40:02 and is a
> routine cron message. Both servers are working well and I've tried
> restarting syslogd.
>
> Then, this afternoon, messages stopped showing up from sendmail
> on our primary outgoing mail relay. Only sendmail messages are missing
> - ospfd, snmpd, crond, are all logging away happily. Again, no
> configurations were changed, all daemons restarted.

Could you run tcpdump / ethereal on the log host using port 514/udp
to ensure that messages from the hosts you are missing are indeed
send to the log host and just not processed by syslogd?

Not sure why they would not be processed, though. If they show up
in the network dump you should run syslogd -d and send it a SIGHUP
to continue with debug output (better redirect it into a file) so
you can see incoming messages as they are processed.

If no remote messages appear, check whether ``-r'' is used on the commandline.
Guess it's used, but better be safe than sorry.

Regards,

        Joey

-- 
GNU does not eliminate all the world's problems, only some of them.
                                                -- The GNU Manifesto


This archive was generated by hypermail 2.1.7 : Mon Jan 26 2004 - 22:35:25 CET