Subject: Re: Bug found: help to isolate it
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Lista de NetBSD Users <list10@sepc.edu.mx>
List: netbsd-users
Date: 05/20/2002 21:25:33
On Sun, 19 May 2002, Manuel Bouyer wrote:
> > Yesterday, I could see one more machine (1.5.2/i386) in our LAN
> > with the same problem... and last night we have a power failure...
> > sorry... the servers rebooted fine (with fsck) and the problem
> > of syslogd disappeared.
This is the second machine with syslogd stopped (may 15 aprox).
Sorry, I do not have listings of these day and the machine was
rebooted because a power fail.
caos# uname -a
NetBSD caos 1.5.2 NetBSD 1.5.2 (CAOS) #0: Sat Dec 8 20:09:31 CST 2001
gallegos@victoria:/usr/src/sys/arch/i386/compile/CAOS i386
caos# pkg_info
digest-20010807 Message digest wrapper utility
perl-5.6.1nb6 Practical Extraction and Report Language
ppp-mppe-2.3.9 PPP daemon and LKM with MPPE - Microsoft
Point-to-Point Encryption
poptop-1.0.0 PPTP server which can support Microsoft VPN clients
--------------------------------------------------
caos# fstat | grep syslog
root syslogd 147 wd / 2 drwxr-xr-x 512 r
root syslogd 147 0 / 32272 crw-rw-rw- null rw
root syslogd 147 1 / 32272 crw-rw-rw- null rw
root syslogd 147 2 / 32272 crw-rw-rw- null rw
root syslogd 147 3* unix dgram c04fc6c0
root syslogd 147 4 / 32275 crw------- klog r
root syslogd 147 6 / 32268 crw------- console w
root syslogd 147 7 / 80654 -rw-r--r-- 13466 w
root syslogd 147 8 / 80654 -rw-r--r-- 13466 w
root syslogd 147 9 / 80653 -rw------- 1740 w
root syslogd 147 10 / 40328 -rw------- 742 w
root syslogd 147 11 / 80651 -rw------- 3247 w
root syslogd 147 12 / 80645 -rw-r----- 0 w
root syslogd 147 13 / 80646 -rw------- 58 w
caos#
caos# fstat | grep c04fc6c0
root pptpd 239 3* unix dgram c0514c80 <-> c04fc6c0
root syslogd 147 3* unix dgram c04fc6c0
----------------------------------------
caos# l /etc/*yslo*
-rw-r--r-- 1 root wheel 597 Aug 18 2001 /etc/newsyslog.conf
-rw-r--r-- 1 root wheel 604 Aug 18 2001 /etc/syslog.conf
Look... Aug 18 2001... these files are not touched... files
are the same as 1.5.2 CD.
---------------------------------------
caos# ps -ax
PID TT STAT TIME COMMAND
0 ?? DLs 0:00.21 (swapper)
1 ?? Is 0:00.01 init
2 ?? DL 0:00.01 (pagedaemon)
3 ?? DL 0:00.28 (reaper)
4 ?? DL 0:20.09 (ioflush)
147 ?? Ss 0:01.23 /usr/sbin/syslogd -s
235 ?? Is 0:00.03 /usr/sbin/sshd
239 ?? Is 0:00.01 /usr/pkg/sbin/pptpd -d
243 ?? Is 0:00.01 /usr/sbin/inetd -l
246 ?? Is 0:01.42 /usr/sbin/cron
3623 ?? S 0:08.87 sshd: gallegos@ttyp0
3624 p0 Is 0:00.05 -csh
3639 p0 S 0:00.05 -csh
3655 p0 R+ 0:00.00 ps -ax
248 E0 Is+ 0:00.01 /usr/libexec/getty Pc ttyE0
249 E1 Is+ 0:00.01 /usr/libexec/getty Pc ttyE1
250 E2 Is+ 0:00.01 /usr/libexec/getty Pc ttyE2
251 E3 Is+ 0:00.01 /usr/libexec/getty Pc ttyE3
------------------------------------------------
caos# ps -alx
UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND
0 0 0 0 -18 0 0 6540 schedule DLs ?? 0:00.21 (swapper)
0 1 0 20 10 0 312 192 wait Is ?? 0:00.01 init
0 2 0 0 -18 0 0 6540 daemon_s DL ?? 0:00.01 (pagedaemon)
0 3 0 0 -18 0 0 6540 reaper DL ?? 0:00.28 (reaper)
0 4 0 0 18 0 0 6540 syncer DL ?? 0:20.09 (ioflush)
0 147 1 0 2 0 100 404 select Ss ?? 0:01.23
/usr/sbin/syslogd -s
0 235 1 0 2 0 292 624 select Is ?? 0:00.03 /usr/sbin/sshd
0 239 1 21 2 0 72 360 select Is ?? 0:00.01
/usr/pkg/sbin/pptpd -d
0 243 1 21 2 0 88 472 select Is ?? 0:00.01 /usr/sbin/inetd
-l
0 246 1 0 10 0 220 420 nanoslee Is ?? 0:01.42 /usr/sbin/cron
0 3623 235 0 2 0 344 1184 select S ?? 0:08.89 sshd:
gallegos@ttyp0
300 3624 3623 0 18 0 432 304 pause Is p0 0:00.05 -csh
0 3639 3624 0 18 0 432 292 pause S p0 0:00.06 -csh
0 3656 3639 0 28 0 344 152 - R+ p0 0:00.00 ps -alx
0 248 1 12 3 0 48 432 ttyin Is+ E0 0:00.01
/usr/libexec/getty Pc ttyE0
0 249 1 12 3 0 48 428 ttyin Is+ E1 0:00.01
/usr/libexec/getty Pc ttyE1
0 250 1 12 3 0 48 428 ttyin Is+ E2 0:00.01
/usr/libexec/getty Pc ttyE2
0 251 1 12 3 0 48 428 ttyin Is+ E3 0:00.01
/usr/libexec/getty Pc ttyE3
------------------------------------------------
The following is an extract of /var/log/messages
Apr 27 12:45:55 caos pppd[3623]: Connection terminated.
Apr 27 12:45:55 caos pppd[3623]: Modem hangup
Apr 27 12:45:55 caos pppd[3623]: Exit.
Apr 27 21:00:00 caos syslogd: restart
Apr 28 11:00:00 caos syslogd: restart
Apr 28 11:00:00 caos syslogd: restart
Apr 28 14:00:01 caos syslogd: restart
Apr 29 07:00:00 caos syslogd: restart
Apr 29 11:00:00 caos syslogd: restart
Apr 29 11:00:01 caos syslogd: restart
Apr 30 01:00:00 caos syslogd: restart
Apr 30 11:00:00 caos syslogd: restart
Apr 30 11:00:01 caos syslogd: restart
Apr 30 18:00:01 caos syslogd: restart
May 1 11:00:01 caos syslogd: restart
May 1 11:00:01 caos syslogd: restart
May 1 11:00:01 caos syslogd: restart
May 2 04:00:00 caos syslogd: restart
May 2 11:00:00 caos syslogd: restart
May 2 11:00:00 caos syslogd: restart
May 2 22:00:00 caos syslogd: restart <---- look the date
May 17 15:29:52 caos syslogd: restart
May 17 15:29:53 caos /netbsd: NetBSD 1.5.2 (CAOS) #0: Sat Dec 8 20:09:31
CST 2001
May 17 15:29:53 caos /netbsd:
gallegos@victoria:/usr/src/sys/arch/i386/compile/CAOS
-----------------------------------------------
The following is an extract of /var/log/authlog
May 2 17:11:33 caos sshd[9132]: Did not receive ident string from
193.255.184.2.
May 2 17:11:33 caos sshd[9133]: Protocol major versions differ for
193.255.184.2: SSH-2.0-OpenSSH_2.5.1 NetBSD_Secure_Shell-20010614 vs.
SSH-1.0-SSH_Version_Mapper
May 3 09:10:18 caos sshd[10045]: Accepted password for sreangar from
aaa.bbb.ccc.ddd port 1464 ssh2
May 17 15:29:57 caos sshd[235]: Server listening on :: port 22.
May 17 15:29:57 caos sshd[235]: Server listening on 0.0.0.0 port 22.
193.255.184.2 is somebody pushing the door ;)
aaa.bbb.ccc.ddd is an internal host
-----------------------------------------------
In /etc/inetd.conf all lines are with comment except
interna:ftp stream tcp nowait root /usr/libexec/ftpd ftpd -ll
where interna is the inside NIC (ip num is in /etc/hosts)
------------------------------------------------
The following is very interesting
caos# pwd
/var/log
caos# l maill*
-rw------- 1 root wheel 58 May 20 12:00 maillog
-rw------- 1 root wheel 342 May 20 12:00 maillog.0.gz
-rw------- 1 root wheel 342 May 19 12:00 maillog.1.gz
-rw------- 1 root wheel 387 May 18 12:00 maillog.2.gz
-rw------- 1 root wheel 98 May 17 12:00 maillog.3.gz
-rw------- 1 root wheel 97 May 16 12:00 maillog.4.gz
-rw------- 1 root wheel 98 May 15 12:00 maillog.5.gz
-rw------- 1 root wheel 98 May 14 12:00 maillog.6.gz
-rw------- 1 root wheel 97 May 13 12:00 maillog.7.gz
Lets see the contents of maillog.[1234]
caos# more maillog.1
May 18 12:00:00 caos newsyslog[1282]: logfile turned over
May 19 03:15:32 caos sendmail[2170]: g4J8FWX02170: from=root, size=261,
class=0, nrcpts=1, msgid=
<200205190815.g4J8FWX02170@caos.csxxi.net.mx>, relay=root@localhost
May 19 03:15:33 caos sendmail[1610]: g4J8F0q01610: from=root, size=4662,
class=0, nrcpts=1, msgid
=<200205190815.g4J8F0q01610@caos.csxxi.net.mx>, relay=localhost [[UNIX:
localhost]]
May 19 03:15:33 caos sendmail[2175]: g4J8FWX02170: to=root, ctladdr=root
(0/0), delay=00:00:01, x
delay=00:00:00, mailer=local, pri=30261, dsn=2.0.0, stat=Sent
May 19 03:15:33 caos sendmail[2178]: g4J8F0q01610: to=root, ctladdr=root
(0/0), delay=00:00:33, x
delay=00:00:00, mailer=local, pri=34662, dsn=2.0.0, stat=Sent
May 19 12:00:00 caos newsyslog[2366]: logfile turned over
-------------------------------
caos# more maillog.2
May 17 12:00:00 caos newsyslog[25282]: logfile turned over
May 18 03:15:34 caos sendmail[1068]: g4I8FYo01068: from=root, size=261,
class=0, nrcpts=1, msgid=
<200205180815.g4I8FYo01068@caos.csxxi.net.mx>, relay=root@localhost
May 18 03:15:34 caos sendmail[508]: g4I8F1o00508: from=root, size=4655,
class=0, nrcpts=1, msgid=
<200205180815.g4I8F1o00508@caos.csxxi.net.mx>, relay=localhost [[UNIX:
localhost]]
May 18 03:15:34 caos sendmail[1073]: g4I8FYo01068: to=root, ctladdr=root
(0/0), delay=00:00:00, x
delay=00:00:00, mailer=local, pri=30261, dsn=2.0.0, stat=Sent
May 18 03:15:35 caos sendmail[1076]: g4I8F1o00508: to=root, ctladdr=root
(0/0), delay=00:00:34, x
delay=00:00:01, mailer=local, pri=34655, dsn=2.0.0, stat=Sent
May 18 04:30:12 caos sendmail[1108]: g4I9U0s01108: from=root, size=101,
class=0, nrcpts=1, msgid=
<200205180930.g4I9U0s01108@caos.csxxi.net.mx>, relay=localhost [[UNIX:
localhost]]
May 18 04:30:13 caos sendmail[1123]: g4I9U0s01108: to=root, ctladdr=root
(0/0), delay=00:00:13, x
delay=00:00:01, mailer=local, pri=30101, dsn=2.0.0, stat=Sent
May 18 12:00:00 caos newsyslog[1282]: logfile turned over
------------------------------
caos# more maillog.3
May 16 12:00:00 caos newsyslog[24201]: logfile turned over
May 17 12:00:00 caos newsyslog[25282]: logfile turned over
-------------------------------
caos# more maillog.4
May 15 12:00:00 caos newsyslog[23121]: logfile turned over
May 16 12:00:00 caos newsyslog[24201]: logfile turned over
-------------------------------
Logs do not say about the daily mail for root, but lets
see the mail received by root.
listing of "mailx -u root"
N303 root Wed May 1 03:15 19/583 "caos daily insecurity output for
Wed M"
N304 root Wed May 1 03:15 87/5095 "caos daily output for Wed May 1
03:15"
N305 root Thu May 2 03:15 19/583 "caos daily insecurity output for
Thu M"
N306 root Thu May 2 03:15 87/5095 "caos daily output for Thu May 2
03:15"
N307 root Fri May 3 03:15 19/583 "caos daily insecurity output for
Fri M"
N308 root Fri May 3 03:15 87/5095 "caos daily output for Fri May 3
03:15"
N309 root Sat May 4 03:15 19/583 "caos daily insecurity output for
Sat M"
N310 root Sat May 4 03:15 87/5095 "caos daily output for Sat May 4
03:15"
N311 root Sat May 4 04:30 15/439 "caos weekly output for Sat May 4
04:3"
N312 root Sun May 5 03:15 19/583 "caos daily insecurity output for
Sun M"
N313 root Sun May 5 03:15 87/5095 "caos daily output for Sun May 5
03:15"
N314 root Mon May 6 03:15 19/583 "caos daily insecurity output for
Mon M"
N315 root Mon May 6 03:15 87/5095 "caos daily output for Mon May 6
03:15"
& z
>N316 root Tue May 7 03:15 19/583 "caos daily insecurity output for
Tue M"
N317 root Tue May 7 03:15 87/5095 "caos daily output for Tue May 7
03:15"
N318 root Wed May 8 03:15 19/583 "caos daily insecurity output for
Wed M"
N319 root Wed May 8 03:15 87/5095 "caos daily output for Wed May 8
03:15"
N320 root Thu May 9 03:15 19/583 "caos daily insecurity output for
Thu M"
N321 root Thu May 9 03:15 87/5095 "caos daily output for Thu May 9
03:15"
N322 root Fri May 10 03:15 19/585 "caos daily insecurity output for
Fri M"
N323 root Fri May 10 03:15 87/5097 "caos daily output for Fri May 10
03:15"
N324 root Sat May 11 03:15 19/585 "caos daily insecurity output for
Sat M"
N325 root Sat May 11 03:15 87/5097 "caos daily output for Sat May 11
03:15"
N326 root Sat May 11 04:30 15/441 "caos weekly output for Sat May 11
04:3"
N327 root Sun May 12 03:15 19/585 "caos daily insecurity output for
Sun M"
N328 root Sun May 12 03:15 87/5097 "caos daily output for Sun May 12
03:15"
N329 root Mon May 13 03:15 19/585 "caos daily insecurity output for
Mon M"
N330 root Mon May 13 03:15 87/5097 "caos daily output for Mon May 13
03:15"
N331 root Tue May 14 03:15 19/585 "caos daily insecurity output for
Tue M"
N332 root Tue May 14 03:15 87/5097 "caos daily output for Tue May 14
03:15"
N333 root Wed May 15 03:15 19/585 "caos daily insecurity output for
Wed M"
N334 root Wed May 15 03:15 87/5097 "caos daily output for Wed May 15
03:15"
N335 root Thu May 16 03:15 19/585 "caos daily insecurity output for
Thu M"
N336 root Thu May 16 03:15 87/5097 "caos daily output for Thu May 16
03:15"
N337 root Fri May 17 03:15 19/585 "caos daily insecurity output for
Fri M"
N338 root Fri May 17 03:15 87/5097 "caos daily output for Fri May 17
03:15"
N339 root Sat May 18 03:15 19/585 "caos daily insecurity output for
Sat M"
N340 root Sat May 18 03:15 86/4995 "caos daily output for Sat May 18
03:15"
N341 root Sat May 18 04:30 15/441 "caos weekly output for Sat May 18
04:3"
---------------------------------------
Comments?
Heron Gallegos