Difference between revisions of "Log Files"

From SME Server
Jump to navigationJump to search
m (Added one line solution for time conversion of squid log files)
(reorganise, add faqs)
Line 1: Line 1:
 
== Log Files ==
 
== Log Files ==
  
=== What they are and what they mean ===
+
There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.
 +
 
 +
=== Access ===
 +
 
 +
Access to log files is available with the /server-manager
 +
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter10#View_log_files
 +
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter10#Mail_log_file_analysis
 +
 
 +
You can also use shell access, eg, to perform more complex searches or manipulations.
  
There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.
+
=== Date Conversions ===
  
 
Most of the SME log files are created using D.J. Bernstein's [http://cr.yp.to/daemontools/multilog.html multilog].   
 
Most of the SME log files are created using D.J. Bernstein's [http://cr.yp.to/daemontools/multilog.html multilog].   
Line 24: Line 32:
 
  tail /var/log/squid/access.log | perl -pe 's/^\d+\.\d+/localtime $&/e;'
 
  tail /var/log/squid/access.log | perl -pe 's/^\d+\.\d+/localtime $&/e;'
  
 +
=== Logfile Names ===
 
==== E-mail logfiles ====
 
==== E-mail logfiles ====
  
qmail
+
qmail
imap
+
imap
imaps
+
imaps
pop3
+
pop3
pop3s
+
pop3s
smtp-auth-proxy
+
smtp-auth-proxy
maillog
+
maillog
qpsmtpd
+
qpsmtpd
sqpsmtpd
+
sqpsmtpd
  
 
==== HTTP logfiles ====
 
==== HTTP logfiles ====
  
httpd
+
httpd
httpd-admin
+
httpd-admin
squid
+
squid
squid.run
+
squid.run
qpdmtpd
+
qpdmtpd
  
 
==== System logfiles ====
 
==== System logfiles ====
  
messages
+
messages
dnscache
+
dnscache
iptables
+
iptables
iptraf
+
iptraf
mysqld
+
mysqld
nmbd
+
nmbd
ntpd
+
ntpd
oidentd
+
oidentd
ppp
+
ppp
yum
+
yum
tinydns
+
tinydns
wan
+
wan
vbox
+
vbox
cron
+
cron
sshd
+
sshd
flexbackup
+
flexbackup
dhcpd
+
dhcpd
dhcpcd
+
dhcpcd
dmesg
+
dmesg
pppoe
+
pppoe
pptpd
+
pptpd
spooler
+
spooler
radius
+
radius
radiusd
+
radiusd
proftpd
+
proftpd
raidmonitor
+
raidmonitor
rpmpkgs
+
rpmpkgs
sa
+
sa
samba
+
samba
secure
+
secure
rkhunter.log
+
rkhunter.log
boot.log
+
boot.log
audit
+
audit
anaconda.log
+
anaconda.log
anaconda.syslog
+
anaconda.syslog
lastlog
+
lastlog
  
 
==== Spam and virus ====
 
==== Spam and virus ====
  
clamav
+
clamav
clamd
+
clamd
freshclam
+
freshclam
spamd
+
spamd
 +
 
 +
=== Error Messages ===
 +
 
 +
*Log message regarding permissions on /var/spool/qpsmtpd/
 +
You may see messages similar to this in your log file:
 +
 +
@400000004326e9472eccc42c 3243 trying to get config for spool_dir
 +
@400000004326e9472ed518fc 3243 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700
 +
 
 +
They can be safely ignored. Clamav runs under a different user and needs read access to the spool area to avoid copying the file.
 +
[[https://sourceforge.net/tracker/index.php?func=detail&aid=1314168&group_id=96750&atid=615772]]
 +
 
 +
 
 +
*I get messages that look like: (pam_unix)[31705]: session opened for user root by (uid=0)
 +
Most likely these messages coming from a package called SYSSTAT. The package was included in the previous versions of SMESERVER but were removed from the final version of V7. If you see the messages, most likely you had a previous version and upgraded. SYSSTAT isn't needed unless you have a contrib package called SME7ADMIN.
 +
 
 +
You can safely remove the package by:
 +
yum remove sysstat
 +
 
 +
Please note that these messages may be caused by other cron jobs (tasks that run automatically) or packages authenticating as root.
 +
 
 +
 
 +
*I get a message saying that: the RSA server certificate CommonName (CN)`servername.domainname.tld' does NOT match server name!
 +
If you change the servername, you will be prompted to reboot. When you do, the SMESERVER will generate a certificate for the new servername-domainname combination and httpd.conf will now reference that new name. References to other virtual domains and hosts will generate warnings in the log.
 +
 
 +
 
 +
*I get: server squid[3145]: WARNING: Disk space over limit: 148412 KB 102400 KB.
 +
This message is just log noise. The message is informational and squid takes care of the issue itself.
 +
 
 +
 
 +
*I get in the radius log: Info: Using deprecated naslist file.  Support for this will go away soon.
 +
This is just the radius daemon (a computer program that runs in the background, rather than under the direct control of a user) complaining about a file that exists in the directory.  We don't use it.
 +
 
 +
 
 +
*I get in the clamd log: Error: cli_untar: only standard TAR files are currently supported
 +
Clam (the antivirus portion of SMESERVER) has found a file type which it can't deal with, and so is telling you that it can't scan that file.
 +
 
 +
Nothing to be concerned about. The fix, if any arrives, will come from the Clam team if they Determine this file format is worthy of their attention.
 +
 
 +
 
 +
*I get in the smeserver-clamscan.log: LibClamAV Warning: Multipart/alternative MIME message contains no boundary header.
 +
This is just log noise. Clamav is scanning badly formatted MIME mail.
 +
 
 +
 
 +
*In the /var/log/messages, I get: 10fix_privilege_tables: ERROR
 +
You can safely ignore these errors. The errors just mean that your tables are already up to date.

Revision as of 00:50, 28 September 2007

Log Files

There are many log files produced by SME Server. Some are standard, some are generated by contributions. This page aims to bring together enough knowledge to understand what generates each log file, what they are for, and how to interpret them.

Access

Access to log files is available with the /server-manager http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter10#View_log_files http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter10#Mail_log_file_analysis

You can also use shell access, eg, to perform more complex searches or manipulations.

Date Conversions

Most of the SME log files are created using D.J. Bernstein's multilog.

  • Multilog logs to a file named 'current' in a subdirectory named for the service
  • Multilog records time as an "@" followed by "a precise timestamp".
  • Pipe multilog output through tai64nlocal to have multilog's cryptic time stamp converted to a human-readable form:
tail -f /var/log/qpsmtpd/current | tai64nlocal

Some SME logs are still created using syslog or another process (not multilog). An examples of this is the squid/access.log file. The following perl script filter will convert the times in a squid logfile to human-readable form:

#! /usr/bin/perl -p
s/^\d+\.\d+/localtime $&/e;

If the above perl code is put into a script 'timeconvert.pl', and made executable, then the squid access log can be converted using the following command:

# ./timeconvert.pl /var/log/squid/access.log

You can also do this analog to the first command like this:

tail /var/log/squid/access.log | perl -pe 's/^\d+\.\d+/localtime $&/e;'

Logfile Names

E-mail logfiles

qmail
imap
imaps
pop3
pop3s
smtp-auth-proxy
maillog
qpsmtpd
sqpsmtpd

HTTP logfiles

httpd
httpd-admin
squid
squid.run
qpdmtpd

System logfiles

messages
dnscache
iptables
iptraf
mysqld
nmbd
ntpd
oidentd
ppp
yum
tinydns
wan
vbox
cron
sshd
flexbackup
dhcpd
dhcpcd
dmesg
pppoe
pptpd
spooler
radius
radiusd
proftpd
raidmonitor
rpmpkgs
sa
samba
secure
rkhunter.log
boot.log
audit
anaconda.log
anaconda.syslog
lastlog

Spam and virus

clamav
clamd
freshclam
spamd

Error Messages

  • Log message regarding permissions on /var/spool/qpsmtpd/

You may see messages similar to this in your log file:

@400000004326e9472eccc42c 3243 trying to get config for spool_dir @400000004326e9472ed518fc 3243 Permissions on spool_dir /var/spool/qpsmtpd/ are not 0700

They can be safely ignored. Clamav runs under a different user and needs read access to the spool area to avoid copying the file. [[1]]


  • I get messages that look like: (pam_unix)[31705]: session opened for user root by (uid=0)

Most likely these messages coming from a package called SYSSTAT. The package was included in the previous versions of SMESERVER but were removed from the final version of V7. If you see the messages, most likely you had a previous version and upgraded. SYSSTAT isn't needed unless you have a contrib package called SME7ADMIN.

You can safely remove the package by:

yum remove sysstat

Please note that these messages may be caused by other cron jobs (tasks that run automatically) or packages authenticating as root.


  • I get a message saying that: the RSA server certificate CommonName (CN)`servername.domainname.tld' does NOT match server name!

If you change the servername, you will be prompted to reboot. When you do, the SMESERVER will generate a certificate for the new servername-domainname combination and httpd.conf will now reference that new name. References to other virtual domains and hosts will generate warnings in the log.


  • I get: server squid[3145]: WARNING: Disk space over limit: 148412 KB 102400 KB.

This message is just log noise. The message is informational and squid takes care of the issue itself.


  • I get in the radius log: Info: Using deprecated naslist file. Support for this will go away soon.

This is just the radius daemon (a computer program that runs in the background, rather than under the direct control of a user) complaining about a file that exists in the directory. We don't use it.


  • I get in the clamd log: Error: cli_untar: only standard TAR files are currently supported

Clam (the antivirus portion of SMESERVER) has found a file type which it can't deal with, and so is telling you that it can't scan that file.

Nothing to be concerned about. The fix, if any arrives, will come from the Clam team if they Determine this file format is worthy of their attention.


  • I get in the smeserver-clamscan.log: LibClamAV Warning: Multipart/alternative MIME message contains no boundary header.

This is just log noise. Clamav is scanning badly formatted MIME mail.


  • In the /var/log/messages, I get: 10fix_privilege_tables: ERROR

You can safely ignore these errors. The errors just mean that your tables are already up to date.