Difference between revisions of "Log Files"

From SME Server
Jump to navigationJump to search
 
(32 intermediate revisions by 10 users not shown)
Line 1: Line 1:
== Log Files ==
+
There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.
  
=== What they are and what they mean ===
+
==Access==
 +
Access to log files is available with the server-manager,
 +
[[:SME_Server:Documentation:Administration_Manual:Chapter10#View_log_files |Chapter10#View_log_files]] and
 +
[[:SME_Server:Documentation:Administration_Manual:Chapter10#Mail_log_file_analysis |Chapter10#Mail_log_file_analysis]]
  
There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.
+
You can also use shell access, eg, to perform more complex searches or manipulations.
 +
 
 +
==Logfile Names==
 +
===E-mail logfiles===
 +
 
 +
qmail            - details mail distribution (to mailboxes and to other hosts via SMTP). Traces connections, message numbers, bytes, concurrency, and UID.
 +
imap            - connections to the server IMAP folders (IMAP). Shows connections from local device unless IMAP enabled for internet access. Use in conjunction with other logs to trace email.
 +
imaps            - secure connections to the server IMAP folders (IMAPS). Shows connections from local devices unless IMAPS enabled for internet access. Use in conjunction with other logs to trace email.
 +
pop3            - Details connections via pop3 to the server.
 +
pop3s            - Details connections via pop3s to the server.
 +
smtp-auth-proxy
 +
maillog          - nothing. Empty.
 +
qpsmtpd          - incoming SMTP connections.
 +
sqpsmtpd        - incoming Secure SMTP connections. Authenticated SMTP Via SSL port 465.
 +
clamav          - antivirus
 +
clamd
 +
freshclam       
 +
spamd            - spam
 +
 
 +
In SME9 IMAP connections are logged in /var/log/dovecot/current
 +
 
 +
===HTTP logfiles===
 +
httpd
 +
httpd-admin
 +
squid
 +
squid.run
 +
qpdmtpd
 +
 
 +
=== System logfiles ===
 +
messages
 +
dnscache
 +
iptables
 +
iptraf
 +
mysqld
 +
nmbd
 +
ntpd
 +
oidentd
 +
ppp
 +
yum
 +
tinydns
 +
wan
 +
vbox
 +
cron
 +
sshd
 +
flexbackup
 +
dhcpd
 +
dhcpcd
 +
dmesg
 +
pppoe
 +
pptpd
 +
spooler
 +
radius
 +
radiusd
 +
proftpd
 +
raidmonitor
 +
rpmpkgs
 +
sa
 +
samba
 +
secure
 +
rkhunter.log
 +
boot.log
 +
audit
 +
anaconda.log
 +
anaconda.syslog
 +
lastlog
 +
 
 +
==Error Messages==
 +
*Log message regarding permissions on /var/spool/qpsmtpd/
 +
You may see messages similar to this in your log file:
 +
 +
@400000004326e9472eccc42c 3243 trying to get config for spool_dir
 +
@400000004326e9472ed518fc 3243 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
 +
 
 +
They can be safely ignored. Clamav runs under a different user and needs read access to the spool area to avoid copying the file.
 +
[[https://sourceforge.net/tracker/index.php?func=detail&aid=1314168&group_id=96750&atid=615772]]
 +
 
 +
*I get messages that look like: (pam_unix)[31705]: session opened for user root by (uid=0)
 +
Most likely these messages coming from a package called SYSSTAT. The package was included in the previous versions of SMESERVER but were removed from the final version of V7. If you see the messages, most likely you had a previous version and upgraded. SYSSTAT isn't needed unless you have a contrib package called SME7ADMIN.
 +
 
 +
You can safely remove the package by:
 +
yum remove sysstat
 +
 
 +
Please note that these messages may be caused by other cron jobs (tasks that run automatically) or packages authenticating as root.
 +
 
 +
*I get a message saying that: the RSA server certificate CommonName (CN)`servername.domainname.tld' does NOT match server name!
 +
If you change the servername, you will be prompted to reboot. When you do, the SMESERVER will generate a certificate for the new servername-domainname combination and httpd.conf will now reference that new name. References to other virtual domains and hosts will generate warnings in the log.
 +
 
 +
*I get: server squid[3145]: WARNING: Disk space over limit: 148412 KB > 102400 KB.
 +
This message is just log noise. The message is informational and squid takes care of the issue itself.
 +
 
 +
*I get in the radius log: Info: Using deprecated naslist file.  Support for this will go away soon.
 +
This is just the radius daemon (a computer program that runs in the background, rather than under the direct control of a user) complaining about a file that exists in the directory.  We don't use it.
 +
 
 +
*I get in the clamd log: Error: cli_untar: only standard TAR files are currently supported
 +
Clam (the antivirus portion of SMESERVER) has found a file type which it can't deal with, and so is telling you that it can't scan that file.
 +
 
 +
Nothing to be concerned about. The fix, if any arrives, will come from the Clam team if they Determine this file format is worthy of their attention.
 +
 
 +
*I get in the smeserver-clamscan.log: LibClamAV Warning: Multipart/alternative MIME message contains no boundary header.
 +
This is just log noise. Clamav is scanning badly formatted MIME mail.
 +
 
 +
*In the /var/log/messages, I get: 10fix_privilege_tables: ERROR
 +
You can safely ignore these errors. The errors just mean that your tables are already up to date.
 +
 
 +
*In the /var/log/messages, I get: rec_read bad magic....
 +
You may also see it with
 +
cat /var/log/samba/* |grep printing |grep 'rec_read bad magic'
 +
You can delete /var/cache/samba/printing/<printer>.tdb files & restart samba.
 +
rm /var/cache/samba/printing/<printer>.tdb
 +
/etc/init.d/smbd restart
 +
 
 +
*cannot remove /var/run/dovecot/login: is a directory
 +
You may see this on system startup. It is just noise and doesn't affect anything.
 +
 
 +
*I get:
 +
rules: score undef for rule 'MISSING_SUBJECT' in '' 'MISSING_SUBJECT' at
 +
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2140.
 +
 
 +
Ignore the message. The warnings are just log noise. After a SPAMASSASSIN update, the rules have been added but don't have a score associated with them. So they will be treated as non-existent and result in an error message.
 +
 
 +
*I get:
 +
2008-02-21 23:42:51.106904500 ClamAV update process started at Thu Feb 21 23:42:51 2008
 +
2008-02-21 23:42:51.108696500 WARNING: Your ClamAV installation is OUTDATED!
 +
2008-02-21 23:42:51.108700500 WARNING: Local version: 0.92 Recommended version: 0.92.1
 +
2008-02-21 23:42:51.108704500 DON'T PANIC! Read http://www.clamav.net/support/faq
 +
2008-02-21 23:42:51.108708500 main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
 +
2008-02-21 23:42:51.523757500 ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
 +
2008-02-21 23:42:51.523760500 ERROR: getpatch: Can't apply patch
 +
2008-02-21 23:42:51.523764500 WARNING: Incremental update failed, trying to download daily.cvd
 +
2008-02-21 23:42:52.322303500 WARNING: Mirror 193.1.193.64 is not synchronized.
 +
 
 +
or:
 +
2008-02-22 00:44:14.874648500 Ignoring mirror 193.1.193.64 (due to previous errors)
 +
2008-02-22 00:44:14.878360500 ERROR: Can't download daily.cvd from database.clamav.net
 +
2008-02-22 00:44:14.879769500 Giving up on database.clamav.net...
 +
 
 +
Ignore the message. CLAMAV will fix itself on its own. The message is from CLAMAV saying it can't reach the updates. The messages will go away once they can be reached. Check [[Bugzilla:4002]] and [[Bugzilla:3962]]
 +
 
 +
If you lose patience waiting for the messages to go away, you can execute the following commands:
 +
cd /var/clamav/
 +
mv mirrors.dat mirrors.dat.old
 +
sv t /service/freshclam
 +
 
 +
*After a ClamAV update or when freshclam is run, the following may appear in the log file
 +
 
 +
LibClamAV Warning: Detected duplicate databases /var/clamav/main.cvd and /var/clamav/main.cld,
 +
please manually remove one of them
 +
 
 +
If you just leave it, freshclam should take of this as it is just log noise. See  [[Bugzilla 7164]]
 +
 
 +
==RK Hunter Messages==
 +
Root Kit Hunter performs a daily check of your system, these are common warnings.
 +
 
 +
/etc/cron.daily/01-rkhunter
 +
 
 +
*The following processes are using deleted files
 +
 
 +
xyz
  
==== E-mail logfiles ====
+
*Process '/sbin/XXX' (PID 3869) is listening on the network.
  
qmail
+
xyz
imap
 
imaps
 
pop3
 
pop3s
 
smtp-auth-proxy
 
maillog
 
  
==== HTTP logfiles ====
+
*The SSH and rkhunter configuration options should be the same:
  
httpd
+
xyz
httpd-admin
 
squid
 
squid.run
 
qpdmtpd
 
  
==== System logfiles ====
+
*Warning: SSH protocol v1 has been enabled
  
messages
+
Servers that have been upgraded to 7.3 from 5.5 give warnings that SSL protocol V1 is enabled.  
dnscache
 
iptables
 
iptraf
 
mysqld
 
nmbd
 
ntpd
 
oidentd
 
ppp
 
yum
 
tinydns
 
wan
 
vbox
 
cron
 
sshd
 
flexbackup
 
dhcpd
 
dhcpcd
 
pppoe
 
pptpd
 
spooler
 
radius
 
radiusd
 
proftpd
 
raidmonitor
 
rpmpkgs
 
sa
 
samba
 
secure
 
rkhunter.log
 
boot.log
 
audit
 
anaconda.log
 
anaconda.syslog
 
lastlog
 
  
==== Spam and virus ====
+
If you know that you do not use SSH protocol V1 (not SSL!), then you can remove protocol 1 by doing:
  
clamav
+
config setprop sshd Protocol 2
clamd
+
signal-event remoteaccess-update
freshclam
 
spamd
 

Latest revision as of 16:43, 10 May 2016

There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.

Access

Access to log files is available with the server-manager, Chapter10#View_log_files and Chapter10#Mail_log_file_analysis

You can also use shell access, eg, to perform more complex searches or manipulations.

Logfile Names

E-mail logfiles

qmail            - details mail distribution (to mailboxes and to other hosts via SMTP). Traces connections, message numbers, bytes, concurrency, and UID.
imap             - connections to the server IMAP folders (IMAP). Shows connections from local device unless IMAP enabled for internet access. Use in conjunction with other logs to trace email.
imaps            - secure connections to the server IMAP folders (IMAPS). Shows connections from local devices unless IMAPS enabled for internet access. Use in conjunction with other logs to trace email.
pop3             - Details connections via pop3 to the server. 
pop3s            - Details connections via pop3s to the server.
smtp-auth-proxy
maillog          - nothing. Empty.
qpsmtpd          - incoming SMTP connections.
sqpsmtpd         - incoming Secure SMTP connections. Authenticated SMTP Via SSL port 465.
clamav           - antivirus
clamd
freshclam        
spamd            - spam

In SME9 IMAP connections are logged in /var/log/dovecot/current

HTTP logfiles

httpd
httpd-admin
squid
squid.run
qpdmtpd

System logfiles

messages
dnscache
iptables
iptraf
mysqld
nmbd
ntpd
oidentd
ppp
yum
tinydns
wan
vbox
cron
sshd
flexbackup
dhcpd
dhcpcd
dmesg
pppoe
pptpd
spooler
radius
radiusd
proftpd
raidmonitor
rpmpkgs
sa
samba
secure
rkhunter.log
boot.log
audit
anaconda.log
anaconda.syslog
lastlog

Error Messages

  • Log message regarding permissions on /var/spool/qpsmtpd/

You may see messages similar to this in your log file:

@400000004326e9472eccc42c 3243 trying to get config for spool_dir @400000004326e9472ed518fc 3243 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700

They can be safely ignored. Clamav runs under a different user and needs read access to the spool area to avoid copying the file. [[1]]

  • I get messages that look like: (pam_unix)[31705]: session opened for user root by (uid=0)

Most likely these messages coming from a package called SYSSTAT. The package was included in the previous versions of SMESERVER but were removed from the final version of V7. If you see the messages, most likely you had a previous version and upgraded. SYSSTAT isn't needed unless you have a contrib package called SME7ADMIN.

You can safely remove the package by:

yum remove sysstat

Please note that these messages may be caused by other cron jobs (tasks that run automatically) or packages authenticating as root.

  • I get a message saying that: the RSA server certificate CommonName (CN)`servername.domainname.tld' does NOT match server name!

If you change the servername, you will be prompted to reboot. When you do, the SMESERVER will generate a certificate for the new servername-domainname combination and httpd.conf will now reference that new name. References to other virtual domains and hosts will generate warnings in the log.

  • I get: server squid[3145]: WARNING: Disk space over limit: 148412 KB > 102400 KB.

This message is just log noise. The message is informational and squid takes care of the issue itself.

  • I get in the radius log: Info: Using deprecated naslist file. Support for this will go away soon.

This is just the radius daemon (a computer program that runs in the background, rather than under the direct control of a user) complaining about a file that exists in the directory. We don't use it.

  • I get in the clamd log: Error: cli_untar: only standard TAR files are currently supported

Clam (the antivirus portion of SMESERVER) has found a file type which it can't deal with, and so is telling you that it can't scan that file.

Nothing to be concerned about. The fix, if any arrives, will come from the Clam team if they Determine this file format is worthy of their attention.

  • I get in the smeserver-clamscan.log: LibClamAV Warning: Multipart/alternative MIME message contains no boundary header.

This is just log noise. Clamav is scanning badly formatted MIME mail.

  • In the /var/log/messages, I get: 10fix_privilege_tables: ERROR

You can safely ignore these errors. The errors just mean that your tables are already up to date.

  • In the /var/log/messages, I get: rec_read bad magic....

You may also see it with

cat /var/log/samba/* |grep printing |grep 'rec_read bad magic'

You can delete /var/cache/samba/printing/<printer>.tdb files & restart samba.

rm /var/cache/samba/printing/<printer>.tdb
/etc/init.d/smbd restart
  • cannot remove /var/run/dovecot/login: is a directory

You may see this on system startup. It is just noise and doesn't affect anything.

  • I get:
rules: score undef for rule 'MISSING_SUBJECT' in  'MISSING_SUBJECT' at
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2140.

Ignore the message. The warnings are just log noise. After a SPAMASSASSIN update, the rules have been added but don't have a score associated with them. So they will be treated as non-existent and result in an error message.

  • I get:
2008-02-21 23:42:51.106904500 ClamAV update process started at Thu Feb 21 23:42:51 2008
2008-02-21 23:42:51.108696500 WARNING: Your ClamAV installation is OUTDATED!
2008-02-21 23:42:51.108700500 WARNING: Local version: 0.92 Recommended version: 0.92.1
2008-02-21 23:42:51.108704500 DON'T PANIC! Read http://www.clamav.net/support/faq
2008-02-21 23:42:51.108708500 main.inc is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
2008-02-21 23:42:51.523757500 ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
2008-02-21 23:42:51.523760500 ERROR: getpatch: Can't apply patch
2008-02-21 23:42:51.523764500 WARNING: Incremental update failed, trying to download daily.cvd
2008-02-21 23:42:52.322303500 WARNING: Mirror 193.1.193.64 is not synchronized.

or:

2008-02-22 00:44:14.874648500 Ignoring mirror 193.1.193.64 (due to previous errors)
2008-02-22 00:44:14.878360500 ERROR: Can't download daily.cvd from database.clamav.net
2008-02-22 00:44:14.879769500 Giving up on database.clamav.net...

Ignore the message. CLAMAV will fix itself on its own. The message is from CLAMAV saying it can't reach the updates. The messages will go away once they can be reached. Check Bugzilla:4002 and Bugzilla:3962

If you lose patience waiting for the messages to go away, you can execute the following commands:

cd /var/clamav/
mv mirrors.dat mirrors.dat.old
sv t /service/freshclam
  • After a ClamAV update or when freshclam is run, the following may appear in the log file
LibClamAV Warning: Detected duplicate databases /var/clamav/main.cvd and /var/clamav/main.cld, 
please manually remove one of them

If you just leave it, freshclam should take of this as it is just log noise. See Bugzilla 7164

RK Hunter Messages

Root Kit Hunter performs a daily check of your system, these are common warnings.

/etc/cron.daily/01-rkhunter

  • The following processes are using deleted files

xyz

  • Process '/sbin/XXX' (PID 3869) is listening on the network.

xyz

  • The SSH and rkhunter configuration options should be the same:

xyz

  • Warning: SSH protocol v1 has been enabled

Servers that have been upgraded to 7.3 from 5.5 give warnings that SSL protocol V1 is enabled.

If you know that you do not use SSH protocol V1 (not SSL!), then you can remove protocol 1 by doing:

config setprop sshd Protocol 2
signal-event remoteaccess-update