Missing mail.log files
Hi,
I'm hoping that somebody can help me with think through a problem I've
discovered with a mail server of ours. This is a machine running an
up-to-date version of Debian lenny (started out as an etch machine that
has been upgraded to lenny once lenny came out). Its a mailserver
running Postfix.
All mail log files are handing by syslogd and mail logs get written to
mail.log, mail.info, mail.err, mail.warn --- as well as to main syslog
file. This morning I discovered that I am missing mail logs from 6:46AM
on March 22 to 6:29AM on March 24. The information did get written to
the mail logs during that time, because I viewed those logs last week.
However, now these files are gone. I still have a copy in
/var/log/syslog.6.gz. BTW, I maintain mail log files dating back to
several days BEFORE the missing time period.
I found this suspicious that log files would simply vanish. So, I
immediately changed the machine passwords and locked down the host.allow
file to limit access. Then, I installed chkrootkit, rkhunter, and
unhide. None of these programs found anything odd. Everything appeared
as it should. "last" shows no logins other than mine. The bash history
file shows nothing out of the ordinary. Therefore, my original paranoia
is beginning to subside. I can find nothing out of the ordinary on this
machine other than two days worth of missing log files.
Is it possible that during the daily syslog rotation that some log files
were deleted somehow? Anybody ever seen this? Am I being too paranoid?
Or not paranoid enough? I would love to blame this on the savelog cron
job.
Thanks,
Bryan Walton
Reply to: