Bug 7884 - Kernel log messages are discarded after logs are rotated
Kernel log messages are discarded after logs are rotated
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: sysklogd (Show other bugs)
6.1
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-12-18 21:48 EST by DIanne Skoll
Modified: 2014-03-16 22:11 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-12-20 11:56:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description DIanne Skoll 1999-12-18 21:48:12 EST
I have a Red Hat 6.1 system and after the logs are rotated, I stop
getting logs from the kernel.

I traced it down to this:  When "syslogd" is sent a HUP signal to
reinitialize itself, it seems to close /dev/log.  The "klogd" kernel
daemon is then unable to send messages to syslog.  Here's an example:

$ strace -p 22240   # I'm tracing the "klogd" process

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571294])        = 945571294

# klogd writes it to syslog
write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143

# Now send syslogd a HUP signal

$ Kill -1 19141

# And continue with the strace

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571432])       = 945571432

# But the write fails and the log message is lost!
write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET
(Connection reset by peer)

If you are running firewalls, CHECK THAT YOUR LOGS WORK!  You could be
missing something important.

As a workaround, in the last entry of /etc/logrotate.d/syslog, change
the postrotate script to:

	sh /etc/rc.d/init.d/syslog restart

--
David F. Skoll                 | Roaring Penguin Software Inc.
http://www.roaringpenguin.com  | Linux and UNIX Specialists
Comment 1 DIanne Skoll 1999-12-18 22:16:59 EST
One more thing:  I tried it out on Caldera OpenLinux 2.3 and did NOT observe
this problem.  Both sysklogd packages claim to be version 1.3.31.  The
difference is that on Caldera OpenLinux, libc6.so is a link to libc-2.1.1.so,
and on Red Hat, it is libc-2.1.2.so.  So I think it might be a libc problem.
Comment 2 DIanne Skoll 1999-12-18 22:43:59 EST
One more thing: COL 2.3 is kernel 2.2.10 and Red Hat 6.1 is 2.2.12.  It might be
a kernel thing.
Comment 3 DIanne Skoll 1999-12-19 11:45:59 EST
The new sysklogd RPM from the Red Hat updates site fixes this bug.  However, I
think you should post an advisory.  The existing sysklogd security advisory
talks about a different problem with sysklogd; this problem is, in my opinion,
far more serious because it could result in lost logs.
Comment 4 Bill Nottingham 1999-12-20 11:56:59 EST
This is fixed in the errata sysklogd release.

Note You need to log in before you can comment on or make changes to this bug.