Re: Missing mail.log files

To: debian-security@lists.debian.org
Subject: Re: Missing mail.log files
From: Rafael Varela Pet <rafael.varela@usc.es>
Date: Tue, 31 Mar 2009 13:38:46 +0200
Message-id: <[🔎] 1238499526.4635.20.camel@mortadelo.rpso.usc.es>
In-reply-to: <[🔎] 20090330214449.GC3011@greek.i-clic.uihc.uiowa.edu>
References: <[🔎] 20090330214449.GC3011@greek.i-clic.uihc.uiowa.edu>

Hi,

El lun, 30-03-2009 a las 16:44 -0500, Walton, Bryan K escribió:

> I'm hoping that somebody can help me with think through a problem I've
> discovered with a mail server of ours.  This is a machine running an
> up-to-date version of Debian lenny (started out as an etch machine that
> has been upgraded to lenny once lenny came out).  Its a mailserver
> running Postfix.
> 
> All mail log files are handing by syslogd and mail logs get written to
> mail.log, mail.info, mail.err, mail.warn --- as well as to main syslog
> file.  This morning I discovered that I am missing mail logs from 6:46AM
> on March 22 to 6:29AM on March 24.  The information did get written to
> the mail logs during that time, because I viewed those logs last week.
> However, now these files are gone.  I still have a copy in
> /var/log/syslog.6.gz.  BTW, I maintain mail log files dating back to
> several days BEFORE the missing time period.

My answer has nothing to do with security, but since the issue was
raised here, here it goes my two cents.

It would be useful to see the output of "ls -l /var/log/mail.log*", but
it sounds like your rotation preferences were overwritten after the
upgrade.

Our mail servers are still on Etch, but I'd suggest to take a look to 

  /etc/cron.daily/sysklogd

Search for this lines at the begining:

  cd /var/log
  for LOG in `syslogd-listfiles`
  do
   if [ -s $LOG ]; then
      savelog -g adm -m 640 -u root -c 7 $LOG >/dev/null
   fi
  done

and check the rotation cycle ("-c" parameter")

If your mail.log* files are listed by the "syslogd-listfiles" command,
maybe they are being rotated with a cycle of 7 days (I think it is the
default for the Debian package in Etch), so you can have older files
(created by your previous longer rotation period), but the newer files
only last for 7 days.

I hope I made myself clear enough...


> I found this suspicious that log files would simply vanish.  So, I
> immediately changed the machine passwords and locked down the host.allow
> file to limit access.  Then, I installed chkrootkit, rkhunter, and
> unhide.  None of these programs found anything odd.  Everything appeared
> as it should.  "last" shows no logins other than mine.  The bash history
> file shows nothing out of the ordinary.  Therefore, my original paranoia
> is beginning to subside.  I can find nothing out of the ordinary on this
> machine other than two days worth of missing log files.
> 
> Is it possible that during the daily syslog rotation that some log files
> were deleted somehow?  Anybody ever seen this?  Am I being too paranoid?
> Or not paranoid enough?  I would love to blame this on the savelog cron
> job.
> 
> Thanks,
> Bryan Walton


Regards,
-- 
Rafael Varela Pet
Area de Tecnoloxías da Información e Comunicacións

Universidade de Santiago de Compostela
15782 Santiago de Compostela
http://www.usc.es/atic

Reply to:

References:
- Missing mail.log files
  - From: "Walton, Bryan K" <bryan-walton@uiowa.edu>

Prev by Date: Re: Missing mail.log files
Next by Date: Re: Missing mail.log files
Previous by thread: Re: Missing mail.log files
Index(es):
- Date
- Thread