No logins after several days 2006-02-16 - By Paul N
Back
Again, I apologize for the off-topic nature, but here we go.
You should boot the system into single user mode, and edit
/etc/audit/audit.conf. There is a section called "output" that
determines some characteristics of audit.d's log files. The control
you need to change is this line:
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%";
which says "suspend auditd, and unfortunately any binaries on your
system". Change it to one of these, depending on if you want to back
up the logs produced or have audit.d clear it automatically:
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
20% -N 'mv -f %f /backup'";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
20% -N 'rm -f %f'";
Clear the logs you can live without in /var until your partition is
under 80%, and reboot.
Again, I apologize for the off-topic nature, but I wish this were on
the web for me a month ago...
Paul
On 2/15/06, Masopust, Christian <christian.masopust@(protected)> wrote:
>
> Hello Paul,
>
> you mentioned that system only shows this problem when auditd is
> in default-configuration... so how should the configuration
> be changed that my system will work again??
> (yes, i've the same problem here... no login after several days,
> auditd running and var above 80%)...
>
> thanks,
> christian
>
> > -- --Original Message-- --
> > From: taroon-list-bounces@(protected)
> > [mailto:taroon-list-bounces@(protected)] On Behalf Of Paul N
> > Sent: Thursday, February 16, 2006 4:18 AM
> > To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
> > Subject: Re: No logins after several days
> >
> > I know you've shot this down already, but seriously, audit.d makes
> > some weird issues. If your /var directory is above 80% full on a
> > default audit.d configuration, your system will hang - no logins
> > through ssh, the console, or anything, but your services will still
> > work fine.
> > Even if you don't have logging on for audit.d, if you have audit.d
> > running and the partition /var is on hits 80%, you will have no
> > ability.
> >
> > That said, you are definitely NOT running audit.d, and the partition
> > var is on is definitely NOT above 80%, right?
> >
> > Sorry for the redundancy...
> >
> > Paul
> >
> > On 2/14/06, Jay Lee <jlee@(protected)> wrote:
> > > On Tue, February 14, 2006 5:49 pm, Thom Paine wrote:
> > > > Okay, I'm home finally and checked out the server.
> > > > The console is pretty much dead. I can't get a login
> > prompt up, but I
> > > > can hit CTRL-ALT-F2 to get a new one. Typing in root and
> > pressing enter
> > >
> > > Just to chime in, I had similar issues on a RHEL3 box configured for
> > > squid. Removing the laus rpm fixed the problem for me.
> > just stoppindg
> > > auditd would probably do it to. Looking at
> > /var/log/auditd/ an extreme
> > > amount of info was being logged...
> > >
> > > Jay
> > > --
> > > Jay Lee
> > > Network / Systems Administrator
> > > Information Technology Dept.
> > > Philadelphia Biblical University
> > > --
> > >
> > > --
> > > Taroon-list mailing list
> > > Taroon-list@(protected)
> > > https://www.redhat.com/mailman/listinfo/taroon-list
> > >
> >
> > --
> > Taroon-list mailing list
> > Taroon-list@(protected)
> > https://www.redhat.com/mailman/listinfo/taroon-list
> >
>
> --
> Taroon-list mailing list
> Taroon-list@(protected)
> https://www.redhat.com/mailman/listinfo/taroon-list
>
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
