Frequency of /var/log/auth.log purges (question answered)

I check /var/log/auth.log almost daily for break-in attempts - always unsuccessful (knock on wood) thanks do DenyHosts. However, I recently found that the log had been emptied!
Being a little paranoid as I usually am, I thought at first that someone had broken in and was trying to cover their tracks. But then I realized it was November 1...
Is /var/log/auth.log cleared monthly? How can I control how often it is cleared, if at all?
Last edited by deconstrained (2009-11-01 17:06:36)

I agree with vacant. And you can run this command to see your earlier auth.log files:
ls -la /var/log/auth.log*
If you care about log files then you should definitely read more about logrotate, cron, anacron and syslog.

Similar Messages

Weird entry in /var/log/auth.log

Hello!
Well, I was looking through my logs and came across this just now in /var/log/auth.log. I have no idea what this means, so in case it is something to worry about I figured I'd make a post.
Does anyone know what this means? I couldn't find anything of use regarding this entry.
May 25 20:11:23 myhost firefox: getaddrinfo*.gaih_getanswer: got type "DNAME"
May 26 18:48:03 myhost firefox: getaddrinfo*.gaih_getanswer: got type "DNAME"
May 26 18:48:03 myhost firefox: getaddrinfo*.gaih_getanswer: got type "DNAME"
May 26 18:48:03 myhost firefox: getaddrinfo*.gaih_getanswer: got type "DNAME"
Last edited by eyescream (2010-05-30 18:39:02)

It looks like a bug in one of the JavaScripts that get loaded and run when you surf the forums. It's part of the Omniture SiteCatalyst web analytics product. Apple must use it to analyze traffic on this site.
There's nothing you can do about it, it's nothing to worry about, and only Apple (or Omniture) can fix it.
charlie

ICal doesn't show delegation, and generates date and time error messages in /var/log/system.log

I have a problem with my iCal, when I use my caldav account, I can only see my own calendar on my MBA, on my co-workers MBP it works fine with both my account and his. My co-worker can't see other calendars than his own when he uses iCal on my laptop.
We can reproduce this problem on his computer by setting Location to Automatic rather than Amsterdam, then after deleting iCal's cache files, the caldav account and setting the Location back to Amsterdam solves the problem for him.
It does not solve the problem for me (or several other co-workers). We've been looking at this for a few weeks, and we can not find any clear pattern why certain machines have this problem and others don't.
All machines (both affected and unaffected) are running Mac OS 10.7.2 with iCal 5.0.1
I've spoken to Apple support over the phone (in the Netherlands), unfortunately, they couldn't help with this.
So far we've tried numerous location and language settings, but on affected machines nothing appears to solve the delegation problem (which we assume to be connected to the error messages iCal generates)
Starting iCal yeilds the following error messages in /var/log/system.log:
Jan 5 11:31:05 dhcp-91 [0x0-0x58f58f].com.apple.iCal[23884]: line 1,1: expecting FREQUENCE, found 'BYDAY' as token type 5
Jan 5 11:31:05 dhcp-91 iCal[23884]: iCalendar recurrence failure BYDAY=-1SU;FREQ=YEARLY;BYMONTH=3
          line 1,6: unexpected char: '='
Jan 5 11:31:05 dhcp-91 [0x0-0x58f58f].com.apple.iCal[23884]: line 1,1: expecting FREQUENCE, found 'BYDAY' as token type 5
Jan 5 11:31:05 dhcp-91 iCal[23884]: iCalendar recurrence failure BYDAY=-1SU;FREQ=YEARLY;BYMONTH=10
          line 1,6: unexpected char: '='
Jan 5 11:31:05 dhcp-91 iCal[23884]: Unexpected EOF, returning last token as fallback
Jan 5 11:31:05 dhcp-91 iCal[23884]: VTIMEZONE does not match System Time Zone (Europe/Amsterdam) for 20100105T000000 to 20120105T000000: (
              "interval: 2001-01-01 01:00:00 +0100, offset: 3600"
          ) != (
              "interval: 2010-03-28 03:00:00 +0200, offset: 7200",
              "interval: 2010-10-31 02:00:00 +0100, offset: 3600",
              "interval: 2011-03-27 03:00:00 +0200, offset: 7200",
              "interval: 2011-10-30 02:00:00 +0100, offset: 3600"
          BEGIN:VTIMEZONE
          X-LIC-LOCATION:Europe/Amsterdam
          TZID:Europe/Amsterdam
          BEGIN:DAYLIGHT
          TZOFFSETFROM:+0100
          TZNAME:CEST
          TZOFFSETTO:+0200
          DTSTART:19700329T020000
          END:DAYLIGHT
          BEGIN:STANDARD
          TZOFFSETFROM:+0200
          TZNAME:CET
          TZOFFSETTO:+0100
          DTSTART:19701025T030000
          END:STANDARD
          END:VTIMEZONE
Jan 5 11:31:05 dhcp-91 [0x0-0x58f58f].com.apple.iCal[23884]: line 1,1: expecting FREQUENCE, found 'BYDAY' as token type 5
Jan 5 11:31:05 dhcp-91 iCal[23884]: iCalendar recurrence failure BYDAY=-1SU;FREQ=YEARLY;BYMONTH=3
          line 1,6: unexpected char: '='
Jan 5 11:31:05 dhcp-91 [0x0-0x58f58f].com.apple.iCal[23884]: line 1,1: expecting FREQUENCE, found 'BYDAY' as token type 5
Jan 5 11:31:05 dhcp-91 iCal[23884]: iCalendar recurrence failure BYDAY=-1SU;FREQ=YEARLY;BYMONTH=10
          line 1,6: unexpected char: '='
Jan 5 11:31:05 dhcp-91 iCal[23884]: Unexpected EOF, returning last token as fallback
Jan 5 11:31:05 dhcp-91 iCal[23884]: VTIMEZONE does not match System Time Zone (Europe/Amsterdam) for 20100105T000000 to 20120105T000000: (
              "interval: 2001-01-01 01:00:00 +0100, offset: 3600"
          ) != (
              "interval: 2010-03-28 03:00:00 +0200, offset: 7200",
              "interval: 2010-10-31 02:00:00 +0100, offset: 3600",
              "interval: 2011-03-27 03:00:00 +0200, offset: 7200",
    "interval: 2011-10-30 02:00:00 +0100, offset: 3600"
          BEGIN:VTIMEZONE
          X-LIC-LOCATION:Europe/Amsterdam
          TZID:Europe/Amsterdam
          BEGIN:DAYLIGHT
          TZOFFSETFROM:+0100
          TZNAME:CEST
          TZOFFSETTO:+0200
          DTSTART:19700329T020000
          END:DAYLIGHT
          BEGIN:STANDARD
          TZOFFSETFROM:+0200
          TZNAME:CET
          TZOFFSETTO:+0100
          DTSTART:19701025T030000
          END:STANDARD
          END:VTIMEZONE
And when I close iCal I get:
Jan 5 11:33:25 dhcp-91 [0x0-0x592592].com.apple.iCal[23894]: token mismatch: 4 != 5

I'm seeing the same thing, and I can't even find where OS X stores calendars on disk anymore...

Hard Drive filling up: SubmitDiagInfo, /private/var & log issues

This topic is part question, part help for people I've seen having a similar problem in other threads. My issue is different enough from the other issues, that I wanted to post it as a separate topic.
I've had about 24GB of available space for weeks now. I haven't downloaded any large files recently, nor created any myself.
Suddenly I noticed the hard drive space decreasing. I went from 24GB, to 19GB, to 10GB, then 8, 5, 1.5... next thing I knew, it said I had 260MB available. This was within maybe two days, with a big ramp-down within a couple of hours this morning, while I was on a train, and not even connected to a network.
I started getting error messages saying my hard drive was full; then, I got errors saying I didn't have enough application memory, and applications were being paused, and I would have to force quit them. Within about 5 minutes, I dropped from 1.5GB to 260MB.
Thinking back, the last week or so, I remembered that sometimes when I came into my office in the morning, my Mac would be awake (I usually sleep it at the end of the day, and an error message would be displayed saying SubmitDiagInfo had crashed. I thought this might have something to do with it.
I did some detective work in these forums. I checked Activity Monitor and the Console. Sure enough, SubmitDiagInfo was taking up a bunch of CPU time.
The Console revealed I had a lot of Diagnostic Logs. I tried deleting them with the Console's Clear button, but it didn't seem to do anything. I checked with OmniDiskSweep, and sure enough, I had over 20GB of log files.
At this point, my hard drive was so full, I had to force quit OmniDiskSweep. I used the Go To Folder command and entered /private/var/log - The Diagnostic Logs folder was nearly 20GB. I deleted it and emptied the trash immediately.
I looked at the /private/var/vm folder and noticed it was also very large (10GB), but I had read elsewhere not to mess with this folder.
From the console, I quit SubmitDiagInfo.
I check my hard drive, and I'm suddenly back to 24GB free space.
When I look again at /private/var/vm, and sure enough it is 5GB smaller.
This is weird stuff, and I hope this description helps anyone else having this problem.
What's interesting is, because the /private folder is invisible, you can't use it to calculate your disk space usage. For example, the folders on my drive had the following space usage:
62.46GB34.53GB+22.96GB+4.78GB4.02GB = 128.75GB (plus a few "small" folders with maybe 300MB)
Since the drive showed 159GB total space available, I couldn't figure out where the other 30GB was.
Once I found /private/log, I could see it had 19.29GB:
62.4634.53+22.96+4.78+4.0219.29 = 148.04 - ah, this makes more sense, but I'm still missing 10GB! So, I look at /private/vm, and boom, there is the extra 10.6GB hiding. All 159GB present and accounted for.
The question I have is, of course, can anyone explain why this is happening, so I can prevent it from happening again?
I hope someone finds this helpful.

Thanks... that is helpful. I have Carbon Copy Cloner, not
Super Duper, so I will keep that solution in mind.
Do not, repeat do not, clone your current suspect hard drive
to your CCC backup. That would defeat the purpose of having
a good backup. I don't know if you can boot from you CCC
backup. That would be a good test. I was able to boot from
my SuperDuper backup and notice normal hard drive space.
In the meantime, I ran the extended system test, and the
computer passed.
Mine with the growing hard drive passed every test I had plus
the test Apple recommended. They were quick place the blame
on a Virtual Windows XP Pro. I do not thing that was the
problem. My normal Macintosh HD is usually about 52 GB
and it was showing 110 GB used and I never could figure out
what was hogging the hard drive.
Good luck!

2 TB MyCloud filesystems "/tmp" and "/var/log" both at 100%

Now, this is just plain weird... here's the output from "df -k": Filesystem 1K-blocks Used Available Use% Mounted on
rootfs 1968336 685956 1182392 37% /
/dev/root 1968336 685956 1182392 37% /
tmpfs 40960 20992 19968 52% /run
tmpfs 40960 64 40896 1% /run/lock
tmpfs 10240 0 10240 0% /dev
tmpfs 5120 0 5120 0% /run/shm
tmpfs 102400 102400 0 100% /tmp                                           <<<<<<<<<<<<<---------------
/dev/root 1968336 685956 1182392 37% /var/log.hdd
ramlog-tmpfs 20480 20480 0 100% /var/log                             <<<<<<<<<<<<<---------------
/dev/sda4 1918220368 26235484 1853008884 2% /DataVolume
/dev/sda4 1918220368 26235484 1853008884 2% /CacheVolume
/dev/sda4 1918220368 26235484 1853008884 2% /nfs/TimeMachineBackup
/dev/sda4 1918220368 26235484 1853008884 2% /nfs/Public
/dev/sda4 1918220368 26235484 1853008884 2% /nfs/SmartWare (pls. excuse the formatting but you can see at the arrows that /var/log and /tmp are at 100%) "/tmp" is filling up with *hundreds* of files with the form -rw------- 1 www-data www-data 0 Jul 14 00:43 sess_pdh5c9g907vqvusb3mdsvtlum3
-rw------- 1 www-data www-data 0 Jul 14 00:43 sess_2a7v2di677ra43sh76lonm3de1
-rw------- 1 www-data www-data 0 Jul 14 00:43 sess_o6kh3i4iggg78evs53kp6enpf6
-rw------- 1 www-data www-data 0 Jul 14 00:43 sess_o0ahso52sef3h0if3ifpo4dno3
-rw------- 1 www-data www-data 0 Jul 14 00:43 sess_bvn1o9v4b4ldgoq9uvtn2n24i0-rw------- 1 www-data www-data 0 Jul 14 00:43 sess_h01fbr9o1pte3ud2s9ainth7b6 all similarly named "sess_[somethingorother] And "/var/log" is filling up due to file "/var/log/user.log", with gazillions of error messages of the form Jul 14 00:02:06 WDMyCloud REST_API[6751]: 192.168.1.101 ORION_LOG /var/www/rest-api/api/Auth/src/Auth/User/UserSecurity.php ISAUTHENTICATED [ERROR] dbgvar0: Array\n(\n [_] => 1436857244438\n [RequestScope] => RequestScope Object\n (\n )\n\n)\n and file "/var/log/apache2/error.log", that has more gazillions of error messages in it of the form [Tue Jul 14 00:07:25.715561 2015] [:error] [pid 7107] [client 192.168.1.101:3844] PHP Fatal error: Uncaught exception 'Zend\\Log\\Exception\\RuntimeException' with message 'No log writer specified' in /var/www/rest-api/lib/Zend/Log/Logger.php:245\nStack trace:\n#0 /var/www/rest-api/lib/Zend/Log/Logger.php(396): Zend\\Log\\Logger->log(4, 'Unknown: open(/...', Array)\n#1 [internal function]: Zend\\Log\\Logger::Zend\\Log\\{closure}(2, 'Unknown: open(/...', 'Unknown', 0, Array)\n#2 {main}\n thrown in /var/www/rest-api/lib/Zend/Log/Logger.php on line 245 ooookay... something has clearly gone bezoomny... Anybody seen this? before I go off on Yet AnotherMad Debian Bug Hunt?

Hey WD... Y'all's got a BUG... When I access the MyClod from my laptop running XP with FireFox, I get the thousands of "sess_*" files written to /tmp, and I get groups of messages of the form Jul 14 22:36:26 WDMyCloud REST_API[23951]: 192.168.1.101 ORION_LOG /var/www/rest-api/api/Auth/src/Auth/User/UserSecurity.php ISAUTHENTICATED [ERROR] Authentication failure for /api/2.1/rest/mediacrawler_status?_=1436938574613
Jul 14 22:36:26 WDMyCloud REST_API[23951]: 192.168.1.101 ORION_LOG /var/www/rest-api/api/Auth/src/Auth/User/UserSecurity.php ISAUTHENTICATED [ERROR] dbgvar0: Array\n(\n [_] => 1436938574613\n [RequestScope] => RequestScope Object\n (\n )\n\n)\n
Jul 14 22:36:26 WDMyCloud REST_API[23951]: 192.168.1.101 ORION_LOG /var/www/rest-api/api/Auth/src/Auth/User/UserSecurity.php ISAUTHENTICATED [ERROR] dbgvar0: Array\n(\n [_] => 1436938574613\n [RequestScope] => RequestScope Object\n (\n )\n\n)\n written to /var/log/user.log. But when I access it similarly from the desktop machine, also running XP with FireFox, I just get *one* of the "sess_*" whatever files written to /tmp, and just one set of messages of the form Jul 14 22:40:26 WDMyCloud REST_API[24325]: 192.168.1.100 OUTPUT DlnaServer\Controller\Database GET SUCCESS
Jul 14 22:40:29 WDMyCloud REST_API[23952]: 192.168.1.100 OUTPUT System\Configuration\Controller\FactoryRestore GET SUCCESS
Jul 14 22:40:29 WDMyCloud Zend\Log[23877]: 8192
Jul 14 22:40:51 WDMyCloud REST_API[23952]: 192.168.1.100 OUTPUT Alerts\Controller\Alerts GET SUCCESS written to /var/log/user.log. So the MyClod is playing nice with some computers and not others... My guess is this could be happening more than WD knows about and could be producing all manner of mysterious behavior, since not only does it only happen on some machines but it does *not* crash the MyClod - at least not right away. The main effect is to fill /tmp and /var/log with garbage so nothing can write to them, which will probably affect some things and not others... https://www.youtube.com/embed/2Gwnmb6P-3k

Alert & Audit Log Purging sample script

Hi Experts,
Can somebody point to sample scripts for
1. alert & audit log purging?
2. Listener log rotation?
I am sorry if questions look too naive, I am new to DBA activities; pls let me know if more details are required.
As of now the script is required to be independent of versions/platforms
Regards,

34MCA2K2 wrote:
Thank a lot for your reply!
If auditing is enabled in Oracle, does it generate Audit log or it inserts into a SYS. table?
Well, what do your "audit" initialization parameters show?
For the listener log "rotation", just rename listener.log to something else (there is an OS command for that), then bounce the listener.
You don't want to purge the alert log, you want to "rotate" it as well. Just rename the existing file to something else. (there is an OS command for that)
So this has to be handled at operating system level instead of having a utility. Also if that is the case, all this has to be done when database is shut down right?
No, the database does not have to be shut down to rotate the listener log. The database doesn't give a flying fig about the listener log.
No, the database does not have to be shut down to rotate the alert log. If the alert log isn't there when it needs to write to it, it will just start a new one. BTW, beginning with 11g, there are two alert logs .. the old familiar one, now located at $ORACLE_BASE/diag/rdbms/$ORACLE_SID/$ORACLE_SID/trace, and the xml file used by adrci. There are adrci commands and configurations to manage the latter.
Again, I leave the details as an exercise for the student to practice his research skills.
Please confirm my understanding.
Thanks in advance!

Arch logging errors (/var/logs)

i got two problems i'd like to solve maybe their cause is the same.
first: is global arch logging. that's my ls -l of /var/log/
-rw-r--r-- 1 root root 0 Apr 21 11:27 acpid.log
-rw-r--r-- 1 root root 0 Apr 7 22:13 acpid.log.1
-rw-r--r-- 1 root root 0 Apr 21 11:27 auth.log
-rw-r--r-- 1 root root 0 Apr 7 22:14 auth.log.1
-rw-r--r-- 1 root root 1092 Nov 7 02:52 boot
-rw------- 1 root root 1152 Mar 17 08:06 btmp
drwxr-xr-x 2 root root 72 Nov 7 16:56 ConsoleKit
-rw-r--r-- 1 root root 0 Apr 7 22:14 crond
-rw-r--r-- 1 root root 0 Apr 21 11:27 daemon.log
-rw-r--r-- 1 root root 0 Apr 7 22:18 daemon.log.1
-rw-r--r-- 1 root root 39494 Apr 22 13:18 dmesg.log
-rw-r--r-- 1 root root 0 Apr 21 11:27 errors.log
-rw-r--r-- 1 root root 0 Apr 7 22:18 errors.log.1
-rw-r--r-- 1 root root 0 Apr 21 11:27 everything.log
-rw-r--r-- 1 root root 0 Apr 7 22:18 everything.log.1
-rw------- 1 root root 32032 Apr 22 12:03 faillog
drwxrwx--T 2 root gdm 1392 Apr 22 13:18 gdm
drwxr-xr-x 2 root root 368 Apr 21 11:27 httpd
-rw-r--r-- 1 root root 0 Apr 21 11:27 kernel.log
-rw-r--r-- 1 root root 0 Apr 7 22:19 kernel.log.1
-rw-r--r-- 1 root root 292292 Apr 22 12:03 lastlog
-rw-r--r-- 1 root root 0 Apr 21 11:27 messages.log
-rw-r--r-- 1 root root 0 Apr 7 22:19 messages.log.1
drwxr-xr-x 2 root root 48 Feb 26 06:56 old
-rw-r--r-- 1 root root 151881 Apr 22 13:42 pacman.log
-rw-r--r-- 1 root root 86 Apr 22 13:18 pm-powersave.log
-rw-r--r-- 1 root root 6049 Apr 20 10:21 pm-suspend.log
-rw-r--r-- 1 root root 0 Apr 21 11:27 syslog.log
-rw-r--r-- 1 root root 0 Apr 7 22:19 syslog.log.1
-rw-r--r-- 1 root root 0 Apr 21 11:27 user.log
-rw-r--r-- 1 root root 0 Apr 7 22:19 user.log.1
-rw-rw-r-- 1 root root 407424 Apr 22 13:29 wtmp
-rw-rw-r-- 1 root root 415488 Apr 7 18:36 wtmp.1
-rw-r--r-- 1 root root 13947 Apr 22 13:18 Xorg.0.log
-rw-r--r-- 1 root root 14486 Apr 22 13:17 Xorg.0.log.old
all files, that have dublicate name with .1 at the end, are always empty and as time goes by files with the same name but with .2, .3, .4 appear but also empty. It looks like arch is trying to create logs but something goes wrong and nothing is logged.
second: i got errors from cron if i do run-cron /etc/cron.daily/ related to log files:
sudo run-cron /etc/cron.daily/
error: syslog-ng:1 duplicate log entry for /var/log/crond.log
error: found error in /var/log/messages.log /var/log/auth.log /var/log/mail.log /var/log/kernel.log /var/log/errors.log /var/log/daemon.log /var/log/user.log /var/log/iptables.log /var/log/everything.log /var/log/syslog.log /var/log/acpid.log /var/log/crond.log /var/log/lpr.log /var/log/uucp.log /var/log/news.log /var/log/ppp.log /var/log/debug.log , skipping
looks like the files r corrupted or something. please help find out the reasons and fix things up.

I think it has to do with the group log having write permissions...
# ls -l /var/log/
total 8240
drwxr-xr-x 2 root root 4096 Mar 31 01:38 ConsoleKit/
drwxr-xr-x 2 root root 4096 Apr 4 03:52 httpd/
drwxr-xr-x 2 http http 4096 Apr 18 03:45 lighttpd/
drwxr-xr-x 2 root root 4096 Feb 25 23:56 old/
-rw-r----- 1 root log 29283 Apr 22 11:05 auth.log
-rw-r----- 1 root log 71395 Apr 18 03:26 auth.log.1
-rw-r----- 1 root log 62225 Apr 11 03:17 auth.log.2
-rw-r----- 1 root log 121945 Apr 4 03:41 auth.log.3
-rw------- 1 root root 0 Mar 29 02:00 btmp
-rw-r----- 1 root log 6622 Apr 22 09:17 crond.log
-rw-r----- 1 root log 10756 Apr 18 03:45 crond.log.1
-rw-r----- 1 root log 10340 Apr 11 03:45 crond.log.2
-rw-r----- 1 root log 8809 Apr 4 03:45 crond.log.3
-rw-r----- 1 root log 63451 Apr 22 11:01 daemon.log
-rw-r----- 1 root log 101060 Apr 18 03:42 daemon.log.1
-rw-r----- 1 root log 103755 Apr 11 03:37 daemon.log.2
-rw-r----- 1 root log 72875 Apr 4 03:36 daemon.log.3
-rw-r--r-- 1 root root 32631 Apr 19 03:27 dmesg.log
-rw-r----- 1 root log 2881 Apr 21 23:22 errors.log
-rw-r----- 1 root log 162980 Apr 17 09:55 errors.log.1
-rw-r----- 1 root log 30491 Apr 9 21:54 errors.log.2
-rw-r----- 1 root log 31213 Apr 3 18:38 errors.log.3
-rw-r----- 1 root log 276636 Apr 22 11:01 everything.log
-rw-r----- 1 root log 1196453 Apr 18 03:45 everything.log.1
-rw-r----- 1 root log 374844 Apr 11 03:45 everything.log.2
-rw-r----- 1 root log 610588 Apr 4 03:45 everything.log.3
-rw------- 1 root root 24144 Apr 22 10:25 faillog
-rw-r----- 1 root log 185643 Apr 22 10:25 kernel.log
-rw-r----- 1 root log 1051728 Apr 18 02:02 kernel.log.1
-rw-r----- 1 root log 250567 Apr 11 03:27 kernel.log.2
-rw-r----- 1 root log 521352 Apr 3 18:38 kernel.log.3
-rw-r--r-- 1 root root 293752 Apr 22 10:25 lastlog
-rw-r----- 1 root log 229278 Apr 22 11:01 messages.log
-rw-r----- 1 root log 959109 Apr 18 03:42 messages.log.1
-rw-r----- 1 root log 309842 Apr 11 03:37 messages.log.2
-rw-r----- 1 root log 489801 Apr 4 03:36 messages.log.3
-rw-r--r-- 1 root root 77695 Apr 22 10:42 pacman.log
-rw-r--r-- 1 root root 86 Apr 19 13:23 pm-powersave.log
-rw-r----- 1 root log 825 Apr 19 03:27 syslog.log
-rw-r----- 1 root log 1387 Apr 15 15:39 syslog.log.1
-rw-r----- 1 root log 738 Apr 9 11:36 syslog.log.2
-rw-r----- 1 root log 1600 Mar 31 00:02 syslog.log.3
-rw-r----- 1 root log 16287 Apr 22 10:15 user.log
-rw-r----- 1 root log 24546 Apr 17 03:45 user.log.1
-rw-r----- 1 root log 626 Apr 11 03:27 user.log.2
-rw-r----- 1 root log 416 Mar 30 04:12 user.log.3
-rw-r----- 1 root log 6622 Apr 22 09:17 uucp.log
-rw-r----- 1 root log 10756 Apr 18 03:45 uucp.log.1
-rw-r----- 1 root log 10340 Apr 11 03:45 uucp.log.2
-rw-r----- 1 root log 8809 Apr 4 03:45 uucp.log.3
-rw-rw-r-- 1 root root 471552 Apr 22 10:25 wtmp
-rw-r--r-- 1 root root 150528 Apr 1 03:21 wtmp.1
-rw-r--r-- 1 root wheel 16308 Apr 22 10:25 Xorg.0.log
-rw-r--r-- 1 root users 23624 Apr 22 10:25 Xorg.0.log.old
Did you chown -R root:root /var/log on Apr 7?

/var/log/boot analog for shutdown

Hello.
I have some troubles with own rc.d scripts, which prevent my system from shutting down.
Unfortunately, when I'm trying to run these scripts manually via /etc/rc.d/script stop, they work fine. But on system shutdown server freezes, after killing sshd and I can't even debug that situation.
So, my question is: how to create something like /var/log/boot only for shutdown sequence?
I know, it is not trivial, because there is no place to store that log after unmounting fs, but it would be nice to have that log at least up to the fs unmounting.

Thank you for your welcome and for your answers
BDAqua >> I tried repairing the HD ; when I safe booted, it wouldn't shut down ; making a new user didn't solve the problem ; there is more than 20GB of free space on this HD.
The log file shows :
+Thread 0 Crashed:+
+0 libobjc.A.dylib 0x90a584c7 objc_msgSend + 23+
+1 com.apple.BezelServices 0x004d2b2b 0x4cf000 + 15147+
+2 com.apple.BezelServices 0x004d193a 0x4cf000 + 10554+
+3 com.apple.Foundation 0x9284ba50 __NSFireMachPort + 307+
+4 com.apple.CoreFoundation 0x9083c2fd __CFMachPortPerform + 136+
+5 com.apple.CoreFoundation 0x9082c5a1 CFRunLoopRunSpecific + 2904+
+6 com.apple.CoreFoundation 0x9082ba42 CFRunLoopRunInMode + 61+
+7 com.apple.HIToolbox 0x92df2878 RunCurrentEventLoopInMode + 285+
+8 com.apple.HIToolbox 0x92df1f82 ReceiveNextEventCommon + 385+
+9 com.apple.HIToolbox 0x92df1dd9 BlockUntilNextEventMatchingListInMode + 81+
+10 com.apple.AppKit 0x93297f45 _DPSNextEvent + 572+
+11 com.apple.AppKit 0x93297b37 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137+
+12 com.apple.AppKit 0x932918c4 -[NSApplication run] + 512+
+13 com.apple.loginwindow 0x000056e1 0x1000 + 18145+
+14 com.apple.loginwindow 0x000052a6 0x1000 + 17062+
+15 com.apple.loginwindow 0x0001af35 0x1000 + 106293+
Carolyn >> I am going to try your suggestion.
Fred

/var/log permissions

I recently helped setup arch on a friends computer, I don't currently have arch installed myself so I have no way of checking this. I added his user to the log group so that he would be able to view logfiles without being root, if I remember correctly this worked great for me, the problem is there's only a few logs he can view.. Is this something that has changed recently or have the permissions accidentally been changed somehow..?
calle ~ $ ls -al /var/log/
total 1040
drwxr-xr-x 6 root root 4096 2009-07-13 23:38 .
drwxr-xr-x 13 root root 4096 2009-07-13 21:25 ..
drwxr-xr-x 2 root root 4096 2009-07-13 20:54 ConsoleKit
-rw-r--r-- 1 root users 15020 2009-07-13 22:21 Xorg.0.log
-rw-r--r-- 1 root users 15346 2009-07-13 21:07 Xorg.0.log.old
-rw-r----- 1 root root 16741 2009-07-14 14:33 auth.log
-rw------- 1 root root 1536 2009-07-14 13:56 btmp
-rw-r--r-- 1 root root 2536 2009-07-14 14:01 crond
-rw-r----- 1 root root 33353 2009-07-14 10:52 daemon.log
-rw-r--r-- 1 root root 26946 2009-07-13 22:20 dmesg.log
-rw-r----- 1 root root 3196 2009-07-14 13:57 errors.log
-rw-r----- 1 root root 261858 2009-07-14 14:26 everything.log
-rw------- 1 root root 24024 2009-07-13 22:21 faillog
drwxr-xr-x 2 root root 4096 2009-03-29 16:07 gdm
-rw-r----- 1 root root 225692 2009-07-14 07:07 kernel.log
drwxr-xr-x 2 root root 4096 2009-07-13 23:42 lastfm
-rw-r--r-- 1 root root 292292 2009-07-14 14:33 lastlog
-rw-r----- 1 root root 214065 2009-07-14 14:26 messages.log
drwxr-xr-x 2 root root 4096 2009-06-07 12:11 old
-rw-r--r-- 1 root root 36756 2009-07-14 01:01 pacman.log
-rw-r----- 1 root root 1067 2009-07-13 22:20 syslog.log
-rw-r----- 1 root root 454 2009-07-13 23:08 user.log
-rw-r--r-- 1 root root 97920 2009-07-14 14:33 wtmp
-rw-r--r-- 1 root root 583 2009-07-13 22:20 wvdial
calle ~ $
How is this supposed to work?? Could someone post the output of "ls -al /var/log"?
Thanks!

This was http://bugs.archlinux.org/task/15095 . Should be fixed with the syslog-ng in [testing]

Kernel msgs filling up /var/log/asl files

I'm having an issue where /var/log/asl files are growing > 5GB a day. The same kernel error msg is printed over and over: (it changes slightly over time, but still says <something>?kernel?<something>
Y?????????r?kernel?kernr??tr?????M?
Y?????????r?kernel?kernr??tr?l???M?
Y?????????r?kernel?kernr?xtr?????M?
Y?????????r?kernel?kernr??tr?`???M?
Y?????????r?kernel?kernr?ltr?????M?
Any ideas? I am running OS X 10.5.8
killing aslmanager (which takes up 99% cpu) doesn't see to stop the logging. I have no idea what is happening and have exhaustively searched the web for suggestions. Please help before I have to do an OS wipe.
Thanks in advance!
-Kevin

Is that the actual kernel message or did you add the question marks?
Either way, it does not say much.
The aslmanager is just printing those kernel errors.
The cause of them is the key.
Try disconnecting all peripheral devices attached to your Mac, just to see if any one device is causing it.
If it still persists, boot up in Safemode to see if that stops it.
Starting up in Safe Mode
What is Safe Boot, Safe Mode? (Mac OS X)
After a restart does it return to normal?
If not I'd run an Apple Hardware test.
To do this, on your MacBook hold down the D key on startup.
Message was edited by: roam realizing the computer is a MacBook

Files in /var/log

I was looking through my /var/log directory on my PB G4 running OS X 10.4.4 recently and noticed several compressed files. I have a few questions:
1. How come there are so many compressed files?
2. Is it safe to delete them, and how can I delete them?
3. Is there a way to prevent so many from building up in this directory?
daily.out lpr.log.0.gz secure.log.0.gz
fax lpr.log.1.gz secure.log.1.gz
ftp.log lpr.log.2.gz secure.log.2.gz
ftp.log.0.gz lpr.log.3.gz secure.log.3.gz
ftp.log.1.gz lpr.log.4.gz secure.log.4.gz
ftp.log.2.gz mail.log system.log
ftp.log.3.gz mail.log.0.gz system.log.0.gz
ftp.log.4.gz mail.log.1.gz system.log.1.gz
httpd mail.log.2.gz system.log.2.gz
install.log mail.log.3.gz system.log.3.gz
install.log.0.gz mail.log.4.gz system.log.4.gz
install.log.1.gz monthly.out system.log.5.gz
install.log.2.gz netinfo.log system.log.6.gz
install.log.3.gz netinfo.log.0.gz system.log.7.gz
install.log.4.gz netinfo.log.1.gz weekly.out
ipfw.log netinfo.log.2.gz windowserver.log
ipfw.log.0.gz netinfo.log.3.gz windowserver_last.log
ipfw.log.1.gz netinfo.log.4.gz wtmp
ipfw.log.2.gz ppp wtmp.0.gz
ipfw.log.3.gz ppp.log wtmp.1.gz
ipfw.log.4.gz ppp.log.0.gz wtmp.2.gz
lastlog ppp.log.1.gz wtmp.3.gz
lookupd.log.0.gz ppp.log.2.gz wtmp.4.gz
Thanks,
Mike

Hi Mike,
   There is no need to worry about their growing. In fact, that's why they are there. They are the results of log rotation by the periodic scripts. Notice that many logs start with the same name, such as ftp.log, ftp.log.1.gz, ftp.log.2.gz, ftp.log3.gz, and ftp.log.4.gz. When you first installed the OS, there was only one, ftp.log. The next time the 500.weekly script runs, it appends a one, '1', to the filename, gzips the file and creates a new ftp.log. A week later, the next time the 500.weekly script runs, it moves ftp.log.1.gz to ftp.log.2.gz, appends a 1 to the new ftp.log, gzips the file and creates a new ftp.log. This process repeats until the ftp.log.4.gz file is created. A week after that, the ftp.log.4.gz is deleted and the former ftp.log.3.gz takes it place.
   Thus, every week each file's number increases until it's 4 weeks old and then it's deleted. The total number of files doesn't increase and, modulo variations in activity, the total size of the collection remains roughly constant. Older records are kept in as compact a form as possible and really old records are removed to make way for new ones.
   Therefore, your goal of limiting the size of the log files is implemented for you in a more efficient manner than you might have imagined. However, since you don't use the old ones, you could delete them if you're really hard up for space. Oh, one more thing -- more active log files, like system.log, are rotated daily and a week's worth of them are maintained.
Gary
~~~~
   A successful [software] tool is one that was used to
   do something undreamed of by its author.
         -- S. C. Johnson

Var/log/mail.log file empty

My var/log/mail.log isn't logging anything, the file seems to empty since 4th March 2010 3:15 AM
Have tried the below mentioned troubleshooting steps, but no luck though
1. Stopped and restarted mail service
2. Repaired disk permissions through disk utility application
3. Repaired permissions through terminal diskutil
4. Restarted daemons as suggested in this forum http://discussions.info.apple.com/thread.jspa?threadID=2088823&tstart=60
5. Changed permissions as suggested on this forum http://forums.macosxhints.com/archive/index.php/t-13985.html
Any help please!!!

Change the archive log to 3 days. Make sure all three log levels are set to information. Restart mail and see if any thing appears in the logs.
Also how are you viewing the logs - using SA or Console?
Thanks,
Henry

ERROR messages in /var/log/messages

Hi,
I encountered a error messages in /var/log/messages please find below
Dec 9 04:03:08 drs syslogd 1.4.1: restart (remote reception).
Dec 9 04:03:18 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:03:18 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:03:18 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:03:18 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:03:18 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:03:18 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:03:18 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:03:18 drs init: Id "h1" respawning too fast: disabled for 5 minutes
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs logger: Oracle Cluster Ready Services disabled by corrupt install
Dec 9 04:08:19 drs logger: Could not access /etc/oracle/scls_scr/drs/root/crsstart.
Dec 9 04:08:19 drs init: Id "h1" respawning too fast: disabled for 5 minutes
Dec 9 04:10:46 drs rpc.mountd: authenticated unmount request from 10.3.141.26:651 for /opt/backup_log/srv (/opt/backup_log)
Dec 9 04:10:47 drs rpc.mountd: authenticated mount request from 10.3.141.26:657 for /opt/backup_log/websrv (/opt/backup_log)
Dec 9 04:10:47 drs rpc.mountd: authenticated unmount request from 10.3.141.26:672 for /opt/backup_log/websrv (/opt/backup_log)
Dec 9 04:10:47 drs rpc.mountd: authenticated mount request from 10.3.141.26:677 for /opt/backup_log/ws (/opt/backup_log)
Dec 9 04:12:01 drs rpc.mountd: authenticated unmount request from 10.3.141.26:849 for /opt/backup_log/ws (/opt/backup_log)
Dec 9 04:13:20 drs logger: Oracle Cluster Ready Services disabled by corrupt install
and database (oracle 10g) is running fine, but i cant figure out what could be the problem, can anyone just help me out on this.
Jafar

Hi,
#h1:35:respawn:/etc/init.d/init.cssd run >/dev/null 2>&1 </dev/null
by commenting above line in initttab file would stop messaging, is this would have any adverse affect on the database. As its a production server, so i am really taking time to resolve it. Your suggestions are welcome. If there is no harm in commenting the above line then i would go forward to comment that line.
Thanks
Jafar>

Errors in a log file /var/log/system.log

I'm getting these errors in a log file /var/log/system.log
Shutdown:
Sep 21 12:41:38 Mac-mini.local WindowServer[86]: CGXGetConnectionProperty: Invalid connection 42243
Sep 21 12:41:38 Mac-mini.local coreservicesd[58]: SendFlattenedData, got error #268435459 (ipc/send) invalid destination port from ::mach_msg(), sending notification kLSNotifyApplicationDeath to notificationID=145
Sep 21 12:41:38 Mac-mini.local WindowServer[86]: CGXGetConnectionProperty: Invalid connection 42243
Sep 21 12:41:38 Mac-mini.local coreservicesd[58]: SendFlattenedData, got error #268435460 (ipc/send) timed out from ::mach_msg(), sending notification kLSNotifyApplicationDeath to Sep 21 12:41:38 Mac-mini.local loginwindow[41]: DEAD_PROCESS: 41 console
Sep 21 12:41:38 Mac-mini.local WindowServer[86]: CGXGetConnectionProperty: Invalid connection 42243
Sep 21 12:41:38 Mac-mini.local coreservicesd[58]: SendFlattenedData, got error #268435459 (ipc/send) invalid destination port from ::mach_msg(), sending notification kLSNotifyApplicationDeath to notificationID=142
Sep 21 12:41:38 Mac-mini.local shutdown[300]: halt by andrei:
Boot & Working:
Sep 21 12:42:11 localhost com.apple.launchd[1] (com.apple.automountd): Unknown key for boolean: NSSupportsSuddenTermination
Sep 21 12:42:22 Mac-mini.local apsd[56]: CGSLookupServerRootPort: Failed to look up the port for "com.apple.windowserver.active" (1102)
Sep 21 12:42:26 Mac-mini.local authorizationhost[121]: in od_principal_for_user(): failed: 7
Sep 21 12:42:26 Mac-mini.local authorizationhost[121]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Sep 21 12:42:27 Mac-mini.local loginwindow[41]: ERROR | ScreensharingLoginNotification | Failed sending message to screen sharing GetScreensharingPort, err: 1102
Sep 21 12:42:31 Mac-mini.local XProtectUpdater[24]: Ignoring new signature plist: Not an increase in version
Sep 21 12:42:32 Mac-mini com.apple.launchd[1] (com.apple.xprotectupdater[24]): Exited with code: 252
Sep 21 12:43:04 Mac-mini.local com.apple.security.pboxd[290]: Bug: 12C54: liblaunch.dylib + 23849 [2F71CAF8-6524-329E-AC56-C506658B4C0C]: 0x25
Sep 21 12:53:49 Mac-mini.local CVMServer[98]: Check-in to the service com.apple.cvmsCompAgent_x86_64 failed. This is likely because you have either unloaded the job or the MachService has the ResetAtClose attribute specified in the launchd.plist. If present, this attribute should be removed.
Sep 21 12:59:48 Mac-mini.local com.apple.security.pboxd[290]: kCGErrorFailure: CGSSetHideOnDeact: error getting window tags
Sep 21 13:00:07 Mac-mini.local com.apple.security.pboxd[290]: _NXTermWindow: error releasing window (1000)
Sep 21 13:00:07 Mac-mini.local com.apple.security.pboxd[290]: __block_global_2: connection failed unexpectedly; terminating process; delegate was (
system.log - https://docs.google.com/open?id=0Bz5zKwys0GTcSzI5UFJRUzFxZjQ

File a bug report with Apple.

[SOLVED] warning: directory permissions differ on var/log/wicd/

Hi,
I've seen several posts about this but I couldn't really figure out what's the appropriate action. Well, anyway I get the following error message when doing a pacman -Syu
warning: directory permissions differ on var/log/wicd/
filesystem: 1363 package: 755
Is it a bug? Should I change the filepermission of the directory, and if so to what?
Last edited by OMGitsUGOD (2009-09-18 10:38:32)

This is sort of related,
http://bbs.archlinux.org/viewtopic.php?pid=432588
or at least thats the post at the end has the same file permisions as I have in /var/log/wicd.
$ ls -la /var/log/ | grep wicd
d-wxrw--wt 2 root root 4096 2009-08-27 07:58 wicd
I'm pretty bad at this stuff, but isn't this rather 1361 than 1363, or am I totally wrong? And why not allow theowner to read the file?
Last edited by OMGitsUGOD (2009-09-17 08:43:32)

Frequency of /var/log/auth.log purges (question answered)

Similar Messages

Maybe you are looking for