 The Answer Gang
	The Answer Gang
	 
There is no guarantee that your questions here will ever be answered. You can be published anonymously - just let us know!
 Reading the logs
Reading the logsFrom Andrew
Answered By Heather Stern
Hello Mr Answer Guy,
While i'm here i'm going to get my 2
cents worth &, so throw a few questions at you ( hehe that's funny since
you offer your knowledge for nicks). I'll get in now before you decide
to go commercial  
 ..
..
[Heather] Some of us are consultants, for those who enjoy directly working with a linux guru, or to get guaranteed an answer of some sort - TAG gets a lot more mail than anybody can really answer, and complicated or non linux things often get ignored.
 Running Redhat 6.1
1./ 1st thing is as soon as i decide to start logging Kernel logs
to /var/log/kernel via syslog.conf i get the following
Running Redhat 6.1
1./ 1st thing is as soon as i decide to start logging Kernel logs
to /var/log/kernel via syslog.conf i get the following
Mar 28 14:20:12 echelon kernel: klogd 1.3-3, log source = /proc/kmsg started. Mar 28 14:20:12 echelon kernel: Inspecting /boot/System.map-2.2.12-20 Mar 28 14:20:12 echelon kernel: Loaded 6865 symbols from /boot/System.map-2.2.12-20. Mar 28 14:20:12 echelon kernel: Symbols match kernel version 2.2.12. Mar 28 14:20:12 echelon kernel: Loaded 168 symbols from 12 modules.
[Heather] That part's normal...
Mar 28 14:20:12 echelon kernel: VFS: Disk change detected on device ide1(22,64) Mar 28 14:20:44 echelon last message repeated 17 times Mar 28 14:21:46 echelon last message repeated 31 times Mar 28 14:22:47 echelon last message repeated 30 times Mar 28 14:23:49 echelon last message repeated 31 times Mar 28 14:24:51 echelon last message repeated 31 times Mar 28 14:25:52 echelon last message repeated 30 times
(What does this mean???)
[Heather] Uh, that it's gone crazy thinking there's a disk change when there's not. Ide1 is your second IDE chain, so maybe your CDrom, or an ls-120 bay.
Removable media bays have either optical or mechanical sensors to detect that new media has arrived ... enough dust particles can screw up either one.
 I have included my syslog.conf . Do you have any idea how i can stop this
ocurring?? I thought it had something to do with having multiple things
pointing to the same place
I have included my syslog.conf . Do you have any idea how i can stop this
ocurring?? I thought it had something to do with having multiple things
pointing to the same place
[Heather] Well, if you have two devices on your second IDE chain, check that they aren't both set to master, or both set to slave, in their jumpers. It's only a guess but if the BIOS let them get this far in such state, the kernel could be confused who was talking, and have assumed it was a disk change.
But I'd do a shutdown and try a clean air cannister anyway, it doesn't hurt. Don't forget to cover your mouth, there are usually a lot more dust bunnies than I expect when I do this.
 2./   Should I be concerned with this . I get it continually in my logs
2./   Should I be concerned with this . I get it continually in my logs
Mar 28 12:01:02 echelon sendmail[25388]: f2S212W25388: forward /home/Users/andrew/.forward.eziekiel: World writable directory Mar 28 12:01:02 echelon sendmail[25388]: f2S212W25388: forward /home/Users/andrew/.forward: World writable directory
I mean obviously if i am to receive mail this would need to be writable from ,as it says the world. I am right in thinking that aren't I ??
[Heather] No, what this is saying is, since your home directory /home/Users/andrew turns out to be world writable, anybody else who ever logged into your system could change your .forward. That's a security problem, some utter stranger could get your mail, and the kind folks at sendmail got tired of people claiming that such lossages (whether pranks or malicious) were some sort of bug in sendmail. So, it checks.
You should either fix your home from being world writable (after all, your other stuff is vulnerable too) or, you can set the DONT_BLAME_SENDMAIL feature in sendmail, and it will stop checking for silly things like these. And your own fault if it breaks wickedly because of weird permissions.
 There are so many questions I have when it comes to Linux.
There are so many questions I have when it comes to Linux.
3./ When I shut down X I might see these errors. They don't mean that
much but I would love to know how to fix then . These are found in .xsession-errors
xscreensaver-command: no screensaver is running on display :0.0 Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server xscreensaver: Can't open display: :0 xscreensaver: initial effective uid/gid was root/root (0/0) xscreensaver: running as nobody/nobody (99/99) rm: cannot remove `/root/.gnome//gmc-aoiM8A': No such file or directory subshell.c: couldn't get terminal settings: Inappropriate ioctl for device
[Heather] When you shut down X numerous things will lose their server connections. If the xscreensaver stuff is happening during startup of X you probably have to fix your .Xauthority or something.
rm not being able to remove absent files, that's not a bug, it's just being noisy.
Usually apps that use ioctls recover from ioctl glitches, since ioctls are so "close to the bare metal" they behave differently on a lot of systems.
 4./ When I start a ppp session via ifup ppp0 I get the following
4./ When I start a ppp session via ifup ppp0 I get the following
command not found but then I kicks in anyhow & dials up without problem.
Wish I could fix that strange one
[Heather] Your chatscript probably tells it to run an apps which is not installed on your system. The ppp documentation is hug, but most of the control files are plain text under /etc/ppp or /etc/chatscripts
 5./  I think snort is a great program but it still throws some false alarms
I constantly see info I don't need to like the following
5./  I think snort is a great program but it still throws some false alarms
I constantly see info I don't need to like the following
[Heather] Well, I don't use snort so I can't explain its stuff.
 Then the like of this error
Then the like of this error
Mar 27 01:15:20 echelon pam_console[11450]: can't find device or X11 socket to examine for 1.
Can you suggest a book that gets away from the obvious within Linux & helps with questions that aren't as common like the last one for example..
[Heather] X however, uses a special breed of networking internal to your box, called "UNIX domain sockets". So that's the kind of socket it's talking about looking for. What sort of examination it wanted to do I still can't say.
 Thankyou
Thankyou
Andrew
[Heather] Hope that helped. There are lots of Linux books, but I'm used to recommending towards a less technical crowd. Some linux-y things you were asking about above are not very linux specific, so good UNIX books can help too.
Jim Dennis wrote a nice book "Linux System Administration" from New Riders, but it's more an explanation of planning and things to do in being a daily sysadmin, not "how to read syslogs". Mr. Sobell's "Hands On Linux" is good for getting people to swimming level in the Linux icy seas, but again, it's more about doing things, and less about logs reading.
Not that I'm trying to discourgae you! If more sysadmins cared a bit what the messages their logs contain really mean, I think many systems would be healthier. I just don't know a book that's the kind of reference you're thinking of.
 Hello Heather,
Hello Heather,
Wow you were right on the money with these kernel errors. I have just added a removable harddrive to this computer so i'll look into the jumper setting..Thanx
The one i'm not to sure about though is the sendmail part. My permisions for lets say my account/user directory is as follows
drwxr-xr-x 28 andrew users 4096 Mar 29 12:52 andrew
What permissions would you suggest here & for my other users ???
Thanks agian
Andrew
[Heather] Your home directory looks okay, maybe you should see if any directories further up the chain are world writable.
The really security conscious person might have one group per user, and reserve use of the group named "users" that contains normal accounts, for things for all the people to use, so that they can avoid world writable directories at all. Unfortunately directories and files can only belong to one group at a time. And it's a little odd to make your home world readable too, but not uncommon, and in a private system, not so much of a big deal.
 Hello Heather,
Hello Heather,
Just a quick message to again say thankyou very much for your prompt email reply. Un fortunately my friends & collegues are more windows based so i cant call on to many people for help when Linux hiccups..
Being able to ask people like you these strange types of questions help sooo much
Cheers
Andrew
|  ![[ Table Of Contents ]](../../gx/navbar/toc.jpg) ![[ Answer Guy Current Index ]](../../gx/dennis/answertoc.jpg) |  1  
  2  
  3  
  4  
  5  
  6  
  7  
  8  
  9  
  10  
  11  
  12  
  13  
  14  
  15  
  16  
  17  
  18  
  19  
  20  
  21  
  22  
  23  
  24  
  25  
  26  
  27  
  28  
  29 | ![[ Index of Past Answers ]](../../gx/dennis/answerpast.jpg)  |