[RHEL6] rsyslogd aborted and after that past messages were logged in maillog.

Solution Verified - Updated -

Issue

  • rsyslogd had aborted since 10:03 on 29'th August at our customer's site.
$ cat date
Tue Sep 11 14:00:39 JST 2012
$ 
$ tail -n 3 var/log/messages
Aug 29 01:01:59 XXXXX xinetd[1851]: EXIT: shell status=0 pid=15571 duration=0(sec)
Aug 29 01:03:41 XXXXX kernel: eth0: NIC Link is Up 10000 Mbps
Aug 29 01:03:41 XXXXX kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
  • Parts of messages on 29'th August were logged again after rsyslogd restart in messages.
$ grep "Aug 29 0[01]" var/log/messages.2 
Aug 29 00:56:01 XXXXX xinetd[1851]: START: telnet pid=15285 from=::ffff:192.168.30.210
Aug 29 00:56:45 XXXXX xinetd[1851]: START: telnet pid=15295 from=::ffff:192.168.30.210
Aug 29 00:57:01 XXXXX xinetd[1851]: EXIT: telnet status=0 pid=15285 duration=60(sec)
Aug 29 00:57:31 XXXXX xinetd[1851]: EXIT: telnet status=0 pid=15295 duration=46(sec)
Aug 29 01:01:59 XXXXX xinetd[1851]: START: shell pid=15571 from=::ffff:192.168.30.210
Aug 29 01:01:59 XXXXX rshd[15573]: root@192.168.30.210 as root: cmd='cat /etc/hosts.allow'
Aug 29 01:01:59 XXXXX xinetd[1851]: EXIT: shell status=0 pid=15571 duration=0(sec)
Aug 29 01:03:41 XXXXX kernel: eth0: NIC Link is Up 10000 Mbps
Aug 29 01:03:41 XXXXX kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Aug 29 01:03:45 XXXXX ntpd[1859]: Listening on interface #7 eth0, fe80::250:56ff:feae:3860#123 Enabled
$ cat var/log/messages
Aug 28 23:59:01 XXXXX kernel: Kernel logging (proc) stopped.
Sep 11 10:23:27 XXXXX kernel: imklog 4.6.2, log source = /proc/kmsg started.
Sep 11 10:23:27 XXXXX rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="7832" x-info="http://www.rsyslog.com"] (re)start
Aug 29 00:56:45 XXXXX xinetd[1851]: START: telnet pid=15295 from=::ffff:192.168.30.210
Aug 29 00:57:01 XXXXX xinetd[1851]: EXIT: telnet status=0 pid=15285 duration=60(sec)
Aug 29 00:57:31 XXXXX xinetd[1851]: EXIT: telnet status=0 pid=15295 duration=46(sec)
Aug 29 01:01:59 XXXXX xinetd[1851]: START: shell pid=15571 from=::ffff:192.168.30.210
Aug 29 01:01:59 XXXXX rshd[15573]: root@192.168.30.210 as root: cmd='cat /etc/hosts.allow'
Aug 29 01:01:59 XXXXX xinetd[1851]: EXIT: shell status=0 pid=15571 duration=0(sec)
Aug 29 01:03:41 XXXXX kernel: eth0: NIC Link is Up 10000 Mbps
Aug 29 01:03:41 XXXXX kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
  • Messages on 1'st July were logged again after 10:04:16 on 29'th August in maillog.
$ grep 'Jul  1 09:25:04' maillog-qmail_20120829._xxx_.txt -B 4 -A 4
Aug 29 10:04:16 XXXXX smtpd: 1346202256.914006 tcpserver: pid 22354 from 192.168.100.171
Aug 29 10:04:16 XXXXX smtpd: 1346202256.914211 tcpserver: ok 22354 XXXXX:192.168.20.65:25 :192.168.100.171::58069
Aug 29 10:04:16 XXXXX smtpd: 1346202256.949129 tcpserver: end 22354 status 0
Aug 29 10:04:16 XXXXX smtpd: 1346202256.949161 tcpserver: status: 0/120
Jul  1 09:25:04 XXXXX smtpd: 1341102304.344436 tcpserver: status: 0/120
Jul  1 09:25:06 XXXXX smtpd: 1341102306.108272 tcpserver: status: 1/120
Jul  1 09:25:06 XXXXX smtpd: 1341102306.108515 tcpserver: pid 4908 from 192.168.20.249
Jul  1 09:25:06 XXXXX smtpd: 1341102306.108733 tcpserver: ok 4908 XXXXX:192.168.20.65:25 :192.168.20.249::49035
Jul  1 09:25:06 XXXXX smtpd: 1341102306.109427 tcpserver: end 4908 status 256

Environment

  • Red Hat Enterprise Linux 6.2
  • rsyslog-4.6.2-12.el6.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content