Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] strange behaviour with /var/log/messages
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
BillWho
Veteran
Veteran


Joined: 03 Mar 2012
Posts: 1600
Location: US

PostPosted: Thu Mar 22, 2012 12:12 am    Post subject: [SOLVED] strange behaviour with /var/log/messages Reply with quote

Hi all,

Not sure if this is the correct forum, but I can't grep /var/log/messages - well I can, but the result is
Code:
root@gentoo-gateway linux # grep nfs /var/log/messages
Binary file /var/log/messages matches

The same happens with piping the output of cat
Code:
root@gentoo-gateway linux # cat /var/log/messages|grep nfs
Binary file (standard input) matches

What I have to do pipe strings to grep then I get results. It appears to be related with the type of file
Code:
root@gentoo-gateway linux # file /var/log/messages
/var/log/messages: data

I contacted a friend on IRC and his output of file is
Code:
/var/log/messages: UTF-8 Unicode text, with very long lines

He hasn't updated his installation for quite some time so I was wondering if anyone else here has experienced this behavior recently and if it could possibly be related to a recent update.

I last updated this morning. I can't remember the last time I had to check the log though so I don't know how recent this anomaly is.

As always thanks :wink:


Last edited by BillWho on Thu Mar 22, 2012 3:03 am; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6342

PostPosted: Thu Mar 22, 2012 12:22 am    Post subject: Reply with quote

Post the output from:
Code:
xxd -l 512 /var/log/messages
ls -d /var/db/pkg/app-admin/*log*/
Back to top
View user's profile Send private message
BillWho
Veteran
Veteran


Joined: 03 Mar 2012
Posts: 1600
Location: US

PostPosted: Thu Mar 22, 2012 12:40 am    Post subject: Reply with quote

Ant P,

Thanks for your reply. I have the result of ls -d /var/db/pkg/app-admin/*log*/, but I'm lost with xxd -l 512 /var/log/messages :cry:

Apparently I don't have the package installed and I couldn't find it.

Code:
root@gentoo-gateway boot # ls -d /var/db/pkg/app-admin/*log*/
/var/db/pkg/app-admin/logrotate-3.8.1//  /var/db/pkg/app-admin/syslog-ng-3.3.4//


If you're wondering if there's any content in /var/log/messages
Code:
root@gentoo-gateway portage # strings /var/log/messages|grep rpc.statd
Mar 18 22:51:52 gentoo-gateway rpc.statd[3911]: Caught signal 15, un-registering and exiting
Mar 18 22:53:10 gentoo-gateway rpc.statd[3451]: Version 1.2.5 starting
Mar 18 22:53:10 gentoo-gateway rpc.statd[3451]: Flags: TI-RPC
Mar 18 22:53:10 gentoo-gateway rpc.statd[3451]: Running as root.  chown /var/lib/nfs to choose different user
Mar 18 23:37:44 gentoo-gateway rpc.statd[3928]: Version 1.2.5 starting
Mar 18 23:37:44 gentoo-gateway rpc.statd[3928]: Flags: TI-RPC
Mar 18 23:37:44 gentoo-gateway rpc.statd[3928]: Running as root.  chown /var/lib/nfs to choose different user


This really has me puzzled :?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14957

PostPosted: Thu Mar 22, 2012 2:35 am    Post subject: Reply with quote

BillWho wrote:
I'm lost with xxd -l 512 /var/log/messages :cry:

Apparently I don't have the package installed and I couldn't find it.
Code:
$ equery b xxd
 * Searching for xxd ...
app-editors/vim-core-7.3.409 (/usr/bin/xxd)
I suspect that something caused a non-printable character to be written to /var/log/messages. This might occur if some daemon was attacked and logged unfiltered shellcode as part of a "failed to authenticate user" message. If this occurred, it does not necessarily mean that the system was breached. Systems which offer service to the public are frequently attacked by bots looking for easy vulnerabilities.
Back to top
View user's profile Send private message
BillWho
Veteran
Veteran


Joined: 03 Mar 2012
Posts: 1600
Location: US

PostPosted: Thu Mar 22, 2012 2:57 am    Post subject: Reply with quote

Hu,

Life should be so simple - that was the first thing I did. :?
Code:
root@gentoo-gateway boot # equery b xxd
 * Searching for xxd ...
root@gentoo-gateway boot #

I don't have that package (app-editors/vim-core) installed so equery isn't going to return anything.

What I'm going to do is just delete the file and see what happens. I tried entering a message with logger thinking that maybe the stat would update, but no joy there.

This isn't a big problem, just puzzling and I thought that syslog-ng was the culprit due to a yet undiscovered bug.

Thanks for your reply, it's much appreciated 8)
Back to top
View user's profile Send private message
BillWho
Veteran
Veteran


Joined: 03 Mar 2012
Posts: 1600
Location: US

PostPosted: Thu Mar 22, 2012 3:03 am    Post subject: Reply with quote

Hu and Ant P,

After deleting and logging a message all seems to be fine now.

Code:
root@gentoo-gateway log # file messages
messages: ASCII text
root@gentoo-gateway log # grep test messages
Mar 21 22:58:02 gentoo-gateway bill: test console message
root@gentoo-gateway log #


I intend to keep my eye on it to see if it happens again and hopefully which process is causing the problem.

Thanks again 8)
Back to top
View user's profile Send private message
BillWho
Veteran
Veteran


Joined: 03 Mar 2012
Posts: 1600
Location: US

PostPosted: Thu Mar 22, 2012 3:45 pm    Post subject: Reply with quote

Hi again,

I marked this as solved yesterday, but found that after a reboot the problem returned. I also found this in bugzilla and added my comment.

Apparently there might be a bug :cry:
Back to top
View user's profile Send private message
strolls
n00b
n00b


Joined: 17 Mar 2003
Posts: 18

PostPosted: Wed Nov 20, 2013 7:55 pm    Post subject: Reply with quote

For the benefit of anyone else arriving here by Google, note comment 19, by Steven, in that bug report.

It's easy to overlook this fix, amongst all the other reports and the mess of copy-pasted logfiles and stuff.

I don't seem to be able to link directly to the comment, so here's the relevant part:

Quote:
if i disable the threading option (threaded(yes) => threaded(no)) in /etc/syslog-ng/syslog-ng.conf the issue is gone

Code:
options {
        threaded(no);
        chain_hostnames(no);
        stats_freq(43200);
};


One reboot later, this seems to be working for me.

I hope this helps others.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum