| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 59925 | 2005-07-17 03:01:00 | More Linux questions... | Myth (110) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 372852 | 2005-07-17 03:01:00 | IN the last few days, I have noticed a change in the shutdown of my FC4. As it scrolls down shutting off services; it now has a heap of text underneath auditd .. including the words NO DAEMON. I have had a look in services, and it shows auditd is running. The thing is I haven't changed anything. Just prior I had completed a large download (700MB). Part way through that download (through Azureus) the download froze, so I had to log off and logon again. Restarted the download and it went perfectly. Nothing else has been done. The text (theres about 5+ lines of it) doesn't hang the machine or affected shutdown... Im just wondering how to fix it. There was another question but it seems to have slipped my mind for the time... will post when I remember |
Myth (110) | ||
| 372853 | 2005-07-17 03:06:00 | Are you able to post the message? Have a look in /var/log/messages or the FC equivalent. | vinref (6194) | ||
| 372854 | 2005-07-17 03:22:00 | Hmmm .. bit more than 5 lines .. Jul 17 10:55:01 tazzcomp auditd[1831]: The audit daemon is exiting. Jul 17 10:55:01 tazzcomp kernel: audit: *NO* daemon at audit_pid=1831 Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.130:16710398): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bff58e80 a2=80510f8 a3=0 items=0 pid=6698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.130:16710398): saddr=100000000000000000000000 Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.130:16710398): nargs=6 a0=3 a1=bff5afdc a2=10 a3=0 a4=bff5d178 a5=c Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.231:16711040): SELinux: unrecognized netlink message type=1009 for sclass=49 Jul 17 10:55:01 tazzcomp kernel: Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.231:16711040): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bff58e60 a2=80510f8 a3=0 items=0 pid=6698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/auditctl" Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.231:16711040): saddr=100000000000000000000000 Jul 17 10:55:01 tazzcomp kernel: audit(1121554501.231:16711040): nargs=6 a0=3 a1=bff5afbc a2=10 a3=0 a4=bff5d158 a5=c Oh and thx, now I know where shutdown messages are recorded :) |
Myth (110) | ||
| 372855 | 2005-07-17 03:54:00 | Hmmm .. bit more than 5 lines .. Sorry, I am not familiar with linux kernel error messages. |
vinref (6194) | ||
| 372856 | 2005-07-17 04:33:00 | It's usually a Bad Idea to cat /var/log/messages . :D I have alias messages='tail -20 /var/log/messages' in my . bash_profile file . That gives a screenfull, which is usually enough . I'm not sure what is happening there . . . I don't know what auditd is . ;) It looks as if it is terminating, then something (the kernel?) is calling it for some reason . KABOOM . It is being called so soon after the termination that its PID (process ID) hasn't been removed from the pid/ directory (is that in /var?) |
Graham L (2) | ||
| 372857 | 2005-07-17 04:52:00 | It's usually a Bad Idea to cat /var/log/messages . :D I have alias messages='tail -20 /var/log/messages' in my . bash_profile file . That gives a screenfull, which is usually enough . /var/log/messages is root-only access in my system, and I have a feeling it is the same in FC . Hence, it cannot be used in alias in a shell rc file of a normal or wheel user . And why would it be a bad idea to read it with cat? I'm not sure what is happening there . . . I don't know what auditd is . ;) It looks as if it is terminating, then something (the kernel?) is calling it for some reason . KABOOM . It is being called so soon after the termination that its PID (process ID) hasn't been removed from the pid/ directory (is that in /var?) That's why I tend to stay away from "too new" distros and releases . Also note the reference to SELinux . . . not good . |
vinref (6194) | ||
| 372858 | 2005-07-17 05:03:00 | All the logs are private to root . That's because they are system things . But it's usually as root that you need to look at them . ;) It's a Very Bad Idea to use an editor (or even cat or less) to look at /var/log/messages because it's usually a Very Big File . ;) It gets chopped by one of the /etc/cron . daily or /etc/cron . weekly tasks, but on average it's very big . The problem in making up error messages (and handling) is that often the events happen so rarely that the developers can never test the handling of them . (That's in Linux . . . in Other OSs, the developers get lots of practice ;)) . |
Graham L (2) | ||
| 372859 | 2005-07-17 05:17:00 | Hey Tazz You will need to look through that messages to see the first instance of this error message. Then look before that to see if the system reported something changed. If the Azureus froze, there is a good chance a message was left about it. Post it here (as much of the relevant message as you can) and me and Graham L will have a go. |
vinref (6194) | ||
| 372860 | 2005-07-17 05:29:00 | grep audit /var/log/messages will help. (I think grep has options which will let you see a few lines each side of matched lines, too. man grep ;)). | Graham L (2) | ||
| 372861 | 2005-07-17 06:33:00 | OK, had a look at /var/log/messages which covered just today, as well as /var/log/messages1 which covered the previous 7 days (which included the time I was downloading with azureus). No mention of azureus at all.I also did the grep audit /var/log/messages thing which gave me the same info as what I have already posted. grep audit /var/log/messages 1 gave a similar yet smaller(just) result |
Myth (110) | ||
| 1 2 3 | |||||