How to stop the deluge of entries in /var/log files?

Eric Cope eric.cope at gmail.com
Thu Feb 4 20:53:56 MST 2010 

I know on FreeBSD, system crons are located on /var, but user crons are
located in the user directory. Is Linux the same way? Are Cron files located
in multiple areas? Are you checking all cron files?
Thanks,
Eric

On Thu, Feb 4, 2010 at 8:09 PM, Craig White <craigwhite at azapple.com> wrote:

> On Thu, 2010-02-04 at 18:15 -0700, joe at actionline.com wrote:
> > > On Thu, 2010-02-04 at 17:31 -0700, joe at actionline.com wrote:
> > >> While fixing a 'syslog' problem on one of my systems, I just
> discovered
> > >> that on one of my other systems, there has been a deluge of identical
> > >> (redundant) entries (for two different topics), each going into
> several
> > >> different files in /var/log and I can't figure out how or find where
> to
> > >> put a stop to it.
> > >>
> > >> Here are just a half-dozen example lines of each topic showing that
> the
> > >> exact same entry for one going in every single minute 24/7 ... that is
> > >> 60*24=1440 entries every single day for one and a different schedule
> for
> > >> the other.
> > >>
> > >> Example #1:
> > >> Feb  4 04:11:01 localhost crond[3125]: (root) CMD (
> > >> /usr/share/msec/promisc_check.sh)
> > >> Feb  4 04:12:01 localhost crond[3134]: (root) CMD (
> > >> /usr/share/msec/promisc_check.sh)
> > >> Feb  4 04:13:01 localhost crond[3143]: (root) CMD (
> > >> /usr/share/msec/promisc_check.sh)
> > >> Feb  4 04:14:01 localhost crond[3152]: (root) CMD (
> > >> /usr/share/msec/promisc_check.sh)
> > >> Feb  4 04:15:01 localhost crond[3161]: (root) CMD (
> > >> /usr/share/msec/promisc_check.sh)
> > >> Feb  4 04:16:01 localhost crond[3170]: (root) CMD (
> > >> /usr/share/msec/promisc_check.sh)
> > >>
> > >> Example #2:
> > >> Feb  4 04:02:11 localhost msec: Wrong permissions of
> > >> /var/log/lpr/info.4.gz: should be 640
> > >> Feb  4 04:02:11 localhost msec: Wrong permissions of
> > >> /var/log/daemons/info.3.gz: should be 640
> > >> Feb  4 04:02:11 localhost msec: Wrong permissions of
> > >> /var/log/news/news.notice.3.gz: should be 640
> > >> Feb  4 04:02:11 localhost msec: Wrong permissions of
> > >> /etc/rc.d/init.d/avahi-daemon: should be 744
> > >> Feb  4 04:02:11 localhost msec: Wrong permissions of
> > >> /var/log/cron/warnings.5.gz: should be 640
> > >> Feb  4 04:02:11 localhost msec: Wrong permissions of
> > >> /var/log/cups/error_log: should be 640
> > >>
> > >> How can I stop this?
> > > ----
> > > fix the problems...
> > > (fix the permissions...
> > > chmod 640 /var/log/lpr/*
> > > chmod 640 /var/log/daemons/*
> > > chmod 640 /var/log/news/*
> > > chmod 744 /etc/rc.d/init.d/avahi-daemon
> > > chmod 640 /var/log/cups/*
> > > )
> > >
> > > as for Feb  4 04:16:01 localhost crond[3170]: (root) CMD (
> > > /usr/share/msec/promisc_check.sh)
> > >
> > > I'd probably check with your particular distribution for the
> recommended
> > > fix and/or bug report it.
> > >
> > > Craig
> >
> > Thanks Craig.
> >
> > Re the permissions item, I neglected to say that the reported files and
> > directories are already set with the correct permissions, but those
> claims
> > of "wrong permissions" keep on coming anyway.
> ----
> that defies my understanding of things so I struggle to believe it.
>
> what is output of say...
> ls -l /var/log/lpr
> ?
> ----
> >
> > Re the other item, I have searched and searched, but I can't find where
> > the crond action is being generated.  The problem has not always been
> > happening, I just discovered that it started at the end of December 09.
> > And, this problem does not occur on two other systems that have the exact
> > same distro / same version installed at the same time.
> >
> > I've searched for and grep'd through every file I could find that has
> > 'cron' or 'crond' and I can't find any reference to 'promisc_check.sh'
> > and neither 'crontab' (nor any other file I can find has any setting for
> > every minute.  I find only hourly, daily, weekly, monthly:
> >
> > 01 * * * * root run-parts /etc/cron.hourly
> > 02 4 * * * root run-parts /etc/cron.daily
> > 22 4 * * 0 root run-parts /etc/cron.weekly
> > 42 4 1 * * root run-parts /etc/cron.monthly
> ----
> You might want to see what is actually in those files...
> (/etc/cron.hourly/*, etc.) and potentially edit or remove them as
> useful. I suspect the ones that are making you crazy are in the
> cron.hourly
>
> Clearly the 'promisc_check.sh' is in the hourly and that would seem to
> be a safety check from your distro and it is reporting to syslog which
> actually makes a lot of sense and I would probably just leave it alone
> (i.e. keep running the 'promiscuity check' every hour but that's just
> me)
>
> The permissions check are probably part of logrotate and it's possible
> that some of the logrotate functions aren't setting the permissions
> right when it creates/rotates logs (note the 4:02 time) so you might
> want to check /etc/logrotate.d/* stuff but again, I think this is the
> kind of thing that your particular distribution should be aware of and
> make fixes for unless this is because you already 'fixed'.
>
> In summary, I would want to fix the permissions issues being reported
> but I'd probably leave the safety checks alone.
>
> Craig
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
Eric Cope
http://cope-et-al.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100204/c49f5877/attachment.htm

More information about the PLUG-discuss mailing list