Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Been using linux for years and came up on a new problem I have never encountered.
Please read carefully before jumping to conclusions.
OS: RHEL WS 3
System: HP Server Hyperthreading
Have had a system in place for about 6 months continuous uptime and no issues.
Issue: Can no longer use console to login nor use ssh into system (telnet disabled).
Symptoms:
ssh: ssh_exchange_identification: Connection closed by remote host
console: Type in any user name and password. Press enter, tty hangs forever.
Have not rebooted system yet, due to production system. Looking for advice of what to look for, here is what I was going to try tonight after reboot and hopefully login.
1. check for /etc/nologin.
2. check /etc/securetty (see if corrupt file)
3. rpm -Vf /etc/pam.d (don't feel this is going to help much)
4. rpm -Vf /etc/security (don't feel this is going to help much either)
5. rpm -V initscripts
6. check /etc/shadow and /etc/passwd for corrupt entries
7. rpm -Vf /bin/login
8. rpm -Vf /sbin/mingetty
If I can not login, will boot to cdrom with the install disk and mount the filesystems and perform the checks.
Any other ideas anyone may have???? Ideas or instances where this has happened to someone else?
Issue: /var had filled up. Therefore, neither lastlog nor wtmp could be written to.
Affecting program: auditd
Description: /var/log/audit.d directory was housing about (40) 20 megabyte files, filling up the /var filesystem preventing logging in. Apparently, the specific version with RHEL 3 update 4 does not clean up the files, but leaves them there. This is either a bug/configuration issue with auditd. Currently, just turned it off.
Hopes this helps others out there that may run across this same problem.
This was driving me crazy...I had noticed that /var seemed a little large but didn't think the problem could be there, but your post makes complete sense.
So besides turning auditd off what other solutions are you thinking of?
Notice, that the num-files is supposed to be only 4. This says to me it is a
bug. Hopefully, they have fixed this in an update from Red Hat.
Due to that we don't need these logs, since it is an internal computer, it was
not needed.
To fix the script, something like the following could be implemented in cron:
Put in a shell script to run from cron something similar.
I don't remember the exact layout of the filename. I remember
seeing one that was bin.1, so assuming the .1 is the day.
SEVEN_DAYS_OLD=`/usr/locale/ebin/date '+%d' --date '3 days ago'`
The notify line as above should (according to the docs) remove old 'save' files when the filesystem comes within 20% of full (change the figure after -T to specify how close to full you want to start deleting old files).
This should be of help if audit is filling up the log directory with 'save' files rather than 'bin' files - which is what was happening with me. As I understand it, the num-files option here refers to the number of 'bin' files that are in use. The 'notify' option states what should be done when a new 'bin' file is started (in the above config, when the previous one gets to 20MB). The config above will copy the old 'bin' file to a new file 'save.%u' (audbin uses %u to generate a number to make the filename unique), clear the file (-C flag), & then look to see if the filesystem threshold is reached (-T flag, within 20% of full here); if it is, then it runs the -N command (%f refers here to oldest file). The audbin man page is helpful.
Before making this change, the default was for the notify command simply to suspend the audit daemon, which caused the machine to hang as described at the top of this thread.
Hope that's helpful for anyone else encountering this problem! And thanks to Darren for the initial pointer.
Thanks for posting this. I always forget about that sad little /var directory silently doing its job, and silently puking when full.. Booted with knoppix, deleted some files and I'm back in business.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.