On my Centos 5 server, the secure file has not updated since Dec 10. This despite the fact that I run an sshd server that I access many times per day. Most peculiar is the fact that a swatch monitor that I run on the secure file catches plenty of lines. It is as if when swatch catches a line in the file, the line is removed from the file and the modification date is set back. Hard to believe. Any ideas? Thanks, Mike.
> On my Centos 5 server, the secure file has not updated > since Dec 10. This despite the fact that I run an > sshd server that I access many times per day. Most > peculiar is the fact that a swatch monitor that I run > on the secure file catches plenty of lines. It is > as if when swatch catches a line in the file, the line > is removed from the file and the modification date > is set back. Hard to believe. Any ideas?What is the output of "lsattr /var/log/secure"? Do you have SELinux enabled, and are there any corresponding lines in /var/log/audit/audit.log?
On Fri, 12 Dec 2008 22:43:46 -0600, Barry Brimer wrote:>> On my Centos 5 server, the secure file has not updated since Dec 10. >> This despite the fact that I run an sshd server that I access many >> times per day. Most peculiar is the fact that a swatch monitor that I >> run on the secure file catches plenty of lines. It is as if when >> swatch catches a line in the file, the line is removed from the file >> and the modification date is set back. Hard to believe. Any ideas? > > What is the output of "lsattr /var/log/secure"? Do you have SELinux > enabled, and are there any corresponding lines in > /var/log/audit/audit.log?# lsattr /var/log/secure ------------- /var/log/secure selinux is disabled /var/log/audit/audit.log appears to have lines describing a login I did a few minutes ago, and its modification date is correct. # ls -l /var/log/secure -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure # date Sat Dec 13 09:42:36 EST 2008 I remain mystified. Mike.
>>> On my Centos 5 server, the secure file has not updated since Dec 10. >>> This despite the fact that I run an sshd server that I access many >>> times per day. Most peculiar is the fact that a swatch monitor that I >>> run on the secure file catches plenty of lines. It is as if when >>> swatch catches a line in the file, the line is removed from the file >>> and the modification date is set back. Hard to believe. Any ideas? >> >> What is the output of "lsattr /var/log/secure"? Do you have SELinux >> enabled, and are there any corresponding lines in >> /var/log/audit/audit.log? > > # lsattr /var/log/secure > ------------- /var/log/secure > > selinux is disabled > > /var/log/audit/audit.log appears to have lines describing a login > I did a few minutes ago, and its modification date is correct. > > # ls -l /var/log/secure > -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure > > # date > Sat Dec 13 09:42:36 EST 2008Any unexpected syslog configuration? Does a touch update the timestamp?
On Sat, 13 Dec 2008 11:33:06 -0600, Barry Brimer wrote:>>>> On my Centos 5 server, the secure file has not updated since Dec 10. >>>> This despite the fact that I run an sshd server that I access many >>>> times per day. Most peculiar is the fact that a swatch monitor that >>>> I run on the secure file catches plenty of lines. It is as if when >>>> swatch catches a line in the file, the line is removed from the file >>>> and the modification date is set back. Hard to believe. Any ideas? >>> >>> What is the output of "lsattr /var/log/secure"? Do you have SELinux >>> enabled, and are there any corresponding lines in >>> /var/log/audit/audit.log? >> >> # lsattr /var/log/secure >> ------------- /var/log/secure >> >> selinux is disabled >> >> /var/log/audit/audit.log appears to have lines describing a login I did >> a few minutes ago, and its modification date is correct. >> >> # ls -l /var/log/secure >> -rw------- 1 root root 18950 Dec 10 12:38 /var/log/secure >> >> # date >> Sat Dec 13 09:42:36 EST 2008 > > Any unexpected syslog configuration? Does a touch update the timestamp?in syslog.conf: # added by MDB local0.* /var/log/httpd/cgi_log local1.* /var/log/net_que local2.* /var/log/sock_mon kern.=debug /var/log/ipt_log I also have added a number of things to logrotate. These things have been working well for years, although only a few months on "Centos. "touch /var/log/secure" updated the timestamp as expected. I note that early tomorrow morning the logrotate occurs. I wonder what will happen. Mike.
Further examination shows numerous log lines that were detected on Dec 12 by swatch using tail on the secure file but do not presently appear in the secure file. However, they do appear in the messages file. Mike.
On Sun, 14 Dec 2008 02:25:17 +0000, Mike -- EMAIL IGNORED wrote:> Further examination shows numerous log lines that were detected on Dec > 12 by swatch using tail on the secure file but do not presently appear > in the secure file. However, they do appear in the messages file. > > Mike.Here are some tentative observations: If I do a vi on the secure file and write it from vi, it stops recording. If I do a "/var/init.d/syslog restart", the secure file starts recording. I still have no idea how swatch continues to function after the syslog stops recording. Mike.