Bug 7884 - Kernel log messages are discarded after logs are rotated
Summary: Kernel log messages are discarded after logs are rotated
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sysklogd
Version: 6.1
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-12-19 02:48 UTC by DIanne Skoll
Modified: 2014-03-17 02:11 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 1999-12-20 16:56:00 UTC
Embargoed:


Attachments (Terms of Use)

Description DIanne Skoll 1999-12-19 02:48:12 UTC
I have a Red Hat 6.1 system and after the logs are rotated, I stop
getting logs from the kernel.

I traced it down to this:  When "syslogd" is sent a HUP signal to
reinitialize itself, it seems to close /dev/log.  The "klogd" kernel
daemon is then unable to send messages to syslog.  Here's an example:

$ strace -p 22240   # I'm tracing the "klogd" process

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571294])        = 945571294

# klogd writes it to syslog
write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143

# Now send syslogd a HUP signal

$ Kill -1 19141

# And continue with the strace

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571432])       = 945571432

# But the write fails and the log message is lost!
write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET
(Connection reset by peer)

If you are running firewalls, CHECK THAT YOUR LOGS WORK!  You could be
missing something important.

As a workaround, in the last entry of /etc/logrotate.d/syslog, change
the postrotate script to:

	sh /etc/rc.d/init.d/syslog restart

--
David F. Skoll                 | Roaring Penguin Software Inc.
http://www.roaringpenguin.com  | Linux and UNIX Specialists

Comment 1 DIanne Skoll 1999-12-19 03:16:59 UTC
One more thing:  I tried it out on Caldera OpenLinux 2.3 and did NOT observe
this problem.  Both sysklogd packages claim to be version 1.3.31.  The
difference is that on Caldera OpenLinux, libc6.so is a link to libc-2.1.1.so,
and on Red Hat, it is libc-2.1.2.so.  So I think it might be a libc problem.

Comment 2 DIanne Skoll 1999-12-19 03:43:59 UTC
One more thing: COL 2.3 is kernel 2.2.10 and Red Hat 6.1 is 2.2.12.  It might be
a kernel thing.

Comment 3 DIanne Skoll 1999-12-19 16:45:59 UTC
The new sysklogd RPM from the Red Hat updates site fixes this bug.  However, I
think you should post an advisory.  The existing sysklogd security advisory
talks about a different problem with sysklogd; this problem is, in my opinion,
far more serious because it could result in lost logs.

Comment 4 Bill Nottingham 1999-12-20 16:56:59 UTC
This is fixed in the errata sysklogd release.


Note You need to log in before you can comment on or make changes to this bug.