Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 7884 - Kernel log messages are discarded after logs are rotated
Summary: Kernel log messages are discarded after logs are rotated
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sysklogd
Version: 6.1
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-12-19 02:48 UTC by DIanne Skoll
Modified: 2014-03-17 02:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-12-20 16:56:00 UTC


Attachments (Terms of Use)

Description DIanne Skoll 1999-12-19 02:48:12 UTC
I have a Red Hat 6.1 system and after the logs are rotated, I stop
getting logs from the kernel.

I traced it down to this:  When "syslogd" is sent a HUP signal to
reinitialize itself, it seems to close /dev/log.  The "klogd" kernel
daemon is then unable to send messages to syslog.  Here's an example:

$ strace -p 22240   # I'm tracing the "klogd" process

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571294])        = 945571294

# klogd writes it to syslog
write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143

# Now send syslogd a HUP signal

$ Kill -1 19141

# And continue with the strace

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571432])       = 945571432

# But the write fails and the log message is lost!
write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET
(Connection reset by peer)

If you are running firewalls, CHECK THAT YOUR LOGS WORK!  You could be
missing something important.

As a workaround, in the last entry of /etc/logrotate.d/syslog, change
the postrotate script to:

	sh /etc/rc.d/init.d/syslog restart

--
David F. Skoll                 | Roaring Penguin Software Inc.
http://www.roaringpenguin.com  | Linux and UNIX Specialists

Comment 1 DIanne Skoll 1999-12-19 03:16:59 UTC
One more thing:  I tried it out on Caldera OpenLinux 2.3 and did NOT observe
this problem.  Both sysklogd packages claim to be version 1.3.31.  The
difference is that on Caldera OpenLinux, libc6.so is a link to libc-2.1.1.so,
and on Red Hat, it is libc-2.1.2.so.  So I think it might be a libc problem.

Comment 2 DIanne Skoll 1999-12-19 03:43:59 UTC
One more thing: COL 2.3 is kernel 2.2.10 and Red Hat 6.1 is 2.2.12.  It might be
a kernel thing.

Comment 3 DIanne Skoll 1999-12-19 16:45:59 UTC
The new sysklogd RPM from the Red Hat updates site fixes this bug.  However, I
think you should post an advisory.  The existing sysklogd security advisory
talks about a different problem with sysklogd; this problem is, in my opinion,
far more serious because it could result in lost logs.

Comment 4 Bill Nottingham 1999-12-20 16:56:59 UTC
This is fixed in the errata sysklogd release.


Note You need to log in before you can comment on or make changes to this bug.