RE: Help needed for missing log entries

From: Dave Sobel (dave@evolvetech.com)
Date: Fri Mar 08 2002 - 22:48:47 CET

  • Next message: jagan krishnaraj: "Request for Info"

    Christian:

    Thanks for the assistance. This is a good theory, but I'm pretty sure
    it's not what is occurring.

    I have done nothing to set the ipop3d or imapd to make them chroot-ed --
    in fact, being as they can access mail in /var/spool/mail and also
    create directories in /home/<username>/, I'm pretty confident they have
    not been isolated.

    I also have verified the existence of /dev/log , so any daemon should be
    able to access it:

    dave@server:~$ cd /dev
    dave@server:/dev$ ls -l log
    srw-rw-rw- 1 root root 0 Mar 6 23:24 log=

    Any additional thoughts are very much welcomed.

    Dave

    -----Original Message-----
    From: Christian von Roques [mailto:roques@mti.ag]
    Sent: Friday, March 08, 2002 9:41 AM
    To: Dave Sobel
    Cc: infodrom-sysklogd@lists.infodrom.org
    Subject: Re: Help needed for missing log entries

    "Dave Sobel" <dave@evolvetech.com> wrote that some of the messages
    logged from ipop3d and imapd are missing in his syslog.

    There are two transports which might be used to transport log-messages
    from the logging applications (in this case ipop3d or imapd) to
    syslogd: If the unix domain socket /dev/log exists the library used by
    the application first tries to send the message through this socket.
    As tne man-page unix(7) sais: ``Unix sockets are always reliable and
    don't reorder datagrams.'' If the unix domain socket /dev/log is
    unavailable, the library tries to send the message through an IP
    datagram (UDP) socket to localhost:514. But, UDP is an unreliable
    protocol and might silently drop some messages, e.g. if the receiving
    socket's receive buffer is full.

    If ipop3d or imapd are logging through UDP it can happen that
    messages are lost.

    If ipop3d or imapd are running chroot(2)ed (e.g. to /var/spool/imap),
    they can't access /dev/log and have to use UDP to transmit their
    messages. When they try to reach /dev/log, they will actually try to
    reach /dev/log in their changed root (e.g. /var/spool/imap/dev/log).
    You can/should tell syslogd to create an additional logging socket to
    be used by these daemons (e.g. by starting syslogd like: syslogd -a
    /var/spool/imap/dev/log ), so that they can reach syslogd through a
    reliable unix domain socket.

            Christian.



    This archive was generated by hypermail 2.1.3 : Fri Mar 08 2002 - 22:49:00 CET