No logins after several days 2006-02-16 - By Christopher Trown
Back
Paul N wrote:
> Again, I apologize for the off-topic nature, but here we go.
>
> You should boot the system into single user mode, and edit
> /etc/audit/audit.conf. There is a section called "output" that
> determines some characteristics of audit.d's log files. The control
> you need to change is this line:
> notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%";
> which says "suspend auditd, and unfortunately any binaries on your
> system". Change it to one of these, depending on if you want to back
> up the logs produced or have audit.d clear it automatically:
> notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
> 20% -N 'mv -f %f /backup'";
>
> notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
> 20% -N 'rm -f %f'";
>
> Clear the logs you can live without in /var until your partition is
> under 80%, and reboot.
>
> Again, I apologize for the off-topic nature, but I wish this were on
> the web for me a month ago...
>
Ditto. I ran into this a couple of months ago. On my backup
server, no less. Fortunately the backups still ran. I just couldn't
check on them.
Chris...
>
>
> On 2/15/06, Masopust, Christian <christian.masopust@(protected)> wrote:
>> Hello Paul,
>>
>> you mentioned that system only shows this problem when auditd is
>> in default-configuration... so how should the configuration
>> be changed that my system will work again??
>> (yes, i've the same problem here... no login after several days,
>> auditd running and var above 80%)...
>>
>> thanks,
>> christian
>>
>>> -- --Original Message-- --
>>> From: taroon-list-bounces@(protected)
>>> [mailto:taroon-list-bounces@(protected)] On Behalf Of Paul N
>>> Sent: Thursday, February 16, 2006 4:18 AM
>>> To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
>>> Subject: Re: No logins after several days
>>>
>>> I know you've shot this down already, but seriously, audit.d makes
>>> some weird issues. If your /var directory is above 80% full on a
>>> default audit.d configuration, your system will hang - no logins
>>> through ssh, the console, or anything, but your services will still
>>> work fine.
>>> Even if you don't have logging on for audit.d, if you have audit.d
>>> running and the partition /var is on hits 80%, you will have no
>>> ability.
>>>
>>> That said, you are definitely NOT running audit.d, and the partition
>>> var is on is definitely NOT above 80%, right?
>>>
>>> Sorry for the redundancy...
>>>
>>> Paul
>>>
>>> On 2/14/06, Jay Lee <jlee@(protected)> wrote:
>>>> On Tue, February 14, 2006 5:49 pm, Thom Paine wrote:
>>>>> Okay, I'm home finally and checked out the server.
>>>>> The console is pretty much dead. I can't get a login
>>> prompt up, but I
>>>>> can hit CTRL-ALT-F2 to get a new one. Typing in root and
>>> pressing enter
>>>> Just to chime in, I had similar issues on a RHEL3 box configured for
>>>> squid. Removing the laus rpm fixed the problem for me.
>>> just stoppindg
>>>> auditd would probably do it to. Looking at
>>> /var/log/auditd/ an extreme
>>>> amount of info was being logged...
>>>>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
