Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 7884

Summary: Kernel log messages are discarded after logs are rotated
Product: [Retired] Red Hat Linux Reporter: DIanne Skoll <dfs>
Component: sysklogdAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 6.1CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-12-20 16:56:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description DIanne Skoll 1999-12-19 02:48:12 UTC
I have a Red Hat 6.1 system and after the logs are rotated, I stop
getting logs from the kernel.

I traced it down to this:  When "syslogd" is sent a HUP signal to
reinitialize itself, it seems to close /dev/log.  The "klogd" kernel
daemon is then unable to send messages to syslog.  Here's an example:

$ strace -p 22240   # I'm tracing the "klogd" process

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571294])        = 945571294

# klogd writes it to syslog
write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143

# Now send syslogd a HUP signal

$ Kill -1 19141

# And continue with the strace

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571432])       = 945571432

# But the write fails and the log message is lost!
write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET
(Connection reset by peer)

If you are running firewalls, CHECK THAT YOUR LOGS WORK!  You could be
missing something important.

As a workaround, in the last entry of /etc/logrotate.d/syslog, change
the postrotate script to:

	sh /etc/rc.d/init.d/syslog restart

--
David F. Skoll                 | Roaring Penguin Software Inc.
http://www.roaringpenguin.com  | Linux and UNIX Specialists

Comment 1 DIanne Skoll 1999-12-19 03:16:59 UTC
One more thing:  I tried it out on Caldera OpenLinux 2.3 and did NOT observe
this problem.  Both sysklogd packages claim to be version 1.3.31.  The
difference is that on Caldera OpenLinux, libc6.so is a link to libc-2.1.1.so,
and on Red Hat, it is libc-2.1.2.so.  So I think it might be a libc problem.

Comment 2 DIanne Skoll 1999-12-19 03:43:59 UTC
One more thing: COL 2.3 is kernel 2.2.10 and Red Hat 6.1 is 2.2.12.  It might be
a kernel thing.

Comment 3 DIanne Skoll 1999-12-19 16:45:59 UTC
The new sysklogd RPM from the Red Hat updates site fixes this bug.  However, I
think you should post an advisory.  The existing sysklogd security advisory
talks about a different problem with sysklogd; this problem is, in my opinion,
far more serious because it could result in lost logs.

Comment 4 Bill Nottingham 1999-12-20 16:56:59 UTC
This is fixed in the errata sysklogd release.