Destroyed a logfile by mistake

X

xy16644

I was trying to view the contents on my /var/log/maillog but instead of typing ee /var/log/postfix/maillog I typed:

tee /var/log/maillog

and now my logfile is not updating anymore!

What have I done wrong?
 
I assume you typed ctrl-C to stop tee? Basically what you just did was to truncate that file to a length of 0, and most likely the program that uses that log file is very confused; restarting the mail service (sendmail or is it postfix) will probably make it happy.
 
P.S. Never use an editor to view a live log file; either use something like more, or make a copy and open the copy in your favorite editor.
 
Remove the file you created because it's most likely now owned by root and the process that tries to write to the file is running as a non-privileged user. The file should be recreated when you restart the mailer daemon.
 
kpa said:
Remove the file you created because it's most likely now owned by root and the process that tries to write to the file is running as a non-privileged user. The file should be recreated when you restart the mailer daemon.
Click to expand...

and for a good measure do: kill -HUP `cat /var/run/syslog.pid`
 
Thanks all, the log file is working again and I learnt a valuable lesson...don't use ee on a live logfile but use more rather!!
 
Or tail(1):

Look at the last 10 lines:
# tail /var/log/maillog

Look at the last 100 lines:
# tail -100 /var/log/maillog

Look at the last X (put in an actual number, not the letter X) lines:
# tail -X /var/log/maillog

Look at the last 10 lines, and watch updates live as they happen:
# tail -f /var/log/maillog

Look at the last 100 lines, and watch updates live as they happen:
# tail -100[b]f[/b] /var/log/maillog

And so on.
 
Thanks @phoenix, thats very helpful.

I am getting these in /var/log/maillog now:

Code: 
Feb 13 20:38:32 mail postfix/master[64595]: warning: process /usr/local/libexec/postfix/smtpd pid 99785 killed by signal 11
Feb 13 20:50:06 mail postfix/master[64595]: warning: process /usr/local/libexec/postfix/smtpd pid 3525 killed by signal 11
Feb 13 20:58:52 mail postfix/master[64595]: warning: process /usr/local/libexec/postfix/smtpd pid 5478 killed by signal 11
Feb 13 21:13:54 mail postfix/master[5828]: warning: process /usr/local/libexec/postfix/smtpd pid 10118 killed by signal 11
Feb 13 21:27:11 mail postfix/master[5828]: warning: process /usr/local/libexec/postfix/smtpd pid 14008 killed by signal 11
Feb 13 21:28:37 mail postfix/master[5828]: warning: process /usr/local/libexec/postfix/smtpd pid 14469 killed by signal 11

Emails still flowing fine (I did a few send/receive tests) but this error is worrying?

I also have a few of these:

Code: 
mail postfix/master[5828]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling

Could these errors be due to me screwing up the maillog logfile?
 
Last edited by a moderator:
Nope, those would be from screwing up the Postfix config. :)

Look at your main.cf to make sure everything is set correctly. Do a restart of postfix and check the logs right away for messages. Confider re-mapping your database files:
# postalias /path/to/aliases
# postmap /path/to/any/hash/map/files
 
phoenix said:
Nope, those would be from screwing up the Postfix config. :)

Look at your main.cf to make sure everything is set correctly. Do a restart of postfix and check the logs right away for messages. Confider re-mapping your database files:
# postalias /path/to/aliases
# postmap /path/to/any/hash/map/files
Click to expand...

I have had a read through the main.cf file but nothing looks out of place to me. I stopped and started postfix and immediately checked the maillog but there were no errors reported.

FYI: I use virtual users/domains/aliases.

I ran:

postalias /etc/aliases

and it ran fine.

When I ran:

postmap /etc/aliases

I get this error:

maillog:Feb 14 08:34:49 mail postfix/postmap[86101]: warning: /etc/aliases, line 79: record is in "key: value" format; is this an alias file?
Click to expand...

is this the cause of the problem or could it be something else? Theres no hint in the logs that I can see.

What else can I try to troubleshoot this?
 
xy16644 said:
Thanks all, the log file is working again and I learnt a valuable lesson...don't use ee on a live logfile but use more rather!!
Click to expand...
Actually I think there's a totally different lesson to be learned here, one which we all already know but which most of us often ignore:

Code: 
$ tee /var/log/maillog
tee: /var/log/maillog: Permission denied
When I check up on my logfiles I make sure to be in a situation where I can only check and not do anything else. If I need more (I can understand that you need to check logfiles in order to perform other administrative tasks) I do so with the use of sysutils/tmux.

In other words; I always know that whenever I go to my first screen I basically enter a root session whereas my second screen is always under a regular user account. This literally helps me to divide my tasks but also minimizes potential dangers.

I know it sounds clichéd, but in my opinion you should never use root to check up on logfiles.

Edit: s/never\ should/should\ never/g
 
I have two windows open in a sysutils/tmux session, one is with normal user account and the other one is su(1)'ed to root. I can switch between the windows with couple of keystrokes and there's never a danger of getting the windows mixed up because of the shell prompt that is the #-sign for root. I also make use of SSH key forwarding using ssh-agent(1) so that I don't have to type passwords to log into my machines and then I have security/pam_ssh_agent_auth that allows me to su(1) to root without a password.
 
Thanks to you all for your replies. The irony in all this is I started to *not* use root on my new server and I started to use my own account with sudo but that day I was logged in with root (naughty naughty).

Does anyone have any ideas as to the errors I am experiencing in Postfix? Looks like I have been experiencing those errors a few days BEFORE I screwed up the maillog logfile.

From what I understand there is a problem with my main.cf but I can't see anything helpful in the logs.

Can someone assist please?
 
Having had a good look through the maillog I have noticed that the "signal 11" error I am receiving occurs when I receive email from the following domains:

Code: 
mxslcpool74.ebay.com
outmail034.prn2.facebook.com
...
outmail040.prn2.facebook.com

Why would receiving email from only these two domains cause Postfix to crash and restart?
 
Impossible to tell; it needs more context. Is said e-mail always addressed to the same recipient? Are there other similarities (attachments for example)?
 
Thats a good question but I don't know as its not showing in the log. Here is what I can see in the log so far:

Code: 
Feb 15 05:12:40 mail postfix/smtpd[40147]: connect from mxslcpool74.ebay.com[66.135.215.176]
Feb 15 05:12:41 mail postfix/master[88477]: warning: process /usr/local/libexec/postfix/smtpd pid 40147 killed by signal 11
Feb 15 05:12:41 mail postfix/master[88477]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling

I don't think the connection gets far enough to see *who* the email is addressed to.
 
Did you try rebuilding a fresh postfix from ports? In no event (at least none I could think of) should an MTA crash with segmentation fault while receiving an E-Mail, even given the possibility that something might be slightly misconfigured.
 
mickey said:
Did you try rebuilding a fresh postfix from ports? In no event (at least none I could think of) should an MTA crash with segmentation fault while receiving an E-Mail, even given the possibility that something might be slightly misconfigured.
Click to expand...

I'm glad you asked :)

It turns out I had to disable zlib in OpenSSL to fix my issue (it wasn't an issue with my Postfix config files).

I've been running now for over 12 hours without any signal 11 errors and I can see email being received from Facebook fine now.
 
You must log in or register to reply here.
Back
Top