syslogd message

Mon, 09 Apr 2001 04:41:07 -0700 

I've got some funny entries in some of my logs:

<Date> <Time> <Host> syslogd 1.3-3: restart (remote reception).

With several identical messages all occuring within a second of each other.

The <Host> portion of this message is my remote logging server.  I've also got
entries for syslogd being restarted on several other systems, without the
"remote reception".  Sometimes these entries occur simultaneously with the
entries on the logging server, othertimes not.  Sometimes there are several
within a second, and othertimes, within several seconds.  This started on the
logging host around the first of April, and has spread to other systems since. 
All entries are happening around the same time every morning, but there are no
entries in the crontabs which offer me any clues.

syslogd version 1.3-3 on all systems.

I'm up to date on the Errata for all these systems.

There is nothing else in the logs other than normal activity for 10 lines of
context (forward and backward).  utmpdump of utmp and wtmp shows nothing other
than my last entries.  tripwire shows nothing weird.  snort logs show some
activity, but nothing out of the ordinary.

What's causing this?  The "remote reception" bit has me worried.  The fact that
syslogd is being restarted without my causing it to do so, and without evidence
of other problems, has me almost panicked.  It starting on one system and then
showing up on other, NON-identical, systems is also of serious concern.

Do I need to start assuming that I've been compromised, or is there something
else which could explain it?  I've seen where the "restart (remote reception)."
can occur with kernel memory allocation problems, but I don't see any messages
to indicate a memory allocation problem.  And I haven't been able to find a
report of this message being caused by anything else.

-- 
Jacob Killian
PGTC System Administrator

<mailto: [EMAIL PROTECTED]>
<http://www.pgtc.net>

501-846-7245

"Long may we walk" --my mom



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to