≡ Menu

log message

OpenSuse Linux: How to Read Logs (Log Files)

How do I read and/or view logs files under OpenSuse / Novell Enterprise Linux?
[click to continue…]

Q. I see following message in my logs files:

Linux bnx2: eth1: No interrupt was generated using MSI, switching to INTx mode

My server hangs occasionally after rebooting with above message in /var/log/message. How do I get rid of this problem under CentOS Linux / RHEL version 4.x?
[click to continue…]

Q. I’ve CentOS 5 server running on Dell hardware. I’m getting following error message in my /var/log/message file (some time message is also shown on console):

Jul 05 12:04:05 dell01 kernel: end_request: I/O error, dev fd0, sector 0
Jul 05 12:04:05 dell01 kernel: Buffer I/O error on device fd0, logical block 0
Jul 05 12:04:18 dell01 kernel: end_request: I/O error, dev fd0, sector 0
Jul 05 12:04:18 dell01 kernel: Buffer I/O error on device fd0, logical block 0
Jul 05 12:04:30 dell01 kernel: end_request: I/O error, dev fd0, sector 0
Jul 05 12:04:42 dell01 kernel: end_request: I/O error, dev fd0, sector 0

What do they mean? How do I fix this problem?

A. This message appears when you don’t have a floppy drive attached to Linux server. Solution is quite simple just disable driver for floppy and reboot the system. You can verify this with the following command (this solution works with RHEL, CentOS, Redhat, Ubuntu/Debian and other Linux distros) :
# lsmod | grep -i floppy
Output:

floppy                 95465  0

Open file called /etc/modprobe.d/blacklist:
# vi /etc/modprobe.d/blacklist
Listing a module (driver name) in this file prevents the hotplug scripts from loading it. Usually that'd be so that some other driver will bind it instead,
no matter which driver happens to get probed first. Sometimes user mode tools can also control driver binding. Append following line:
blacklist floppy
Save and close the file. Now reboot the Linux server:
# reboot

Q. I’m using Red hat Enterprise Linux server. I’m getting following error in /var/log/message file:

Apr 16 16:38:02 server ntpd[22694]: sendto(10.0.77.54): Bad file descriptor
Apr 16 16:38:08 server ntpd[22694]: sendto(66.111.46.200): Bad file descriptor
Apr 16 16:38:25 server ntpd[22694]: sendto(83.133.111.7): Bad file descriptor
Apr 16 16:38:28 server ntpd[22694]: sendto(81.169.156.100): Bad file descriptor

How do I fix above errors?

A. If you are seeing Bad file descriptor errors in /var/log/messages, make sure that only one instance of ntpd is running.

Step #1: Stop ntpd

Type the following command to stop ntpd:
# /etc/init.d/ntpd stop

Step #2: kill ntpd

Type the following command to kill all instance of ntpd:
# killall ntpd

Step #3: Start ntpd

# /etc/init.d/ntpd start

Step #4: Watch log file /var/log/messages

Use tail command:
# tail -f /var/log/messages
Output:

Apr 16 16:44:35 server ntpd[17549]: Listening on interface lo, 127.0.0.1#123
Apr 16 16:44:35 server ntpd[17549]: Listening on interface eth0, 10.5.123.2#123
Apr 16 16:44:35 server ntpd[17549]: Listening on interface eth1, 71.26.1.25#123
Apr 16 16:44:35 server ntpd[17549]: kernel time sync status 0040
Apr 16 16:44:36 server ntpd[17549]: frequency initialized -58.648 PPM from /var/lib/ntp/drift
Apr 16 16:47:52 server ntpd[17549]: synchronized to LOCAL(0), stratum 10
Apr 16 16:47:52 server ntpd[17549]: kernel time sync disabled 0041
Apr 16 16:47:52 server ntpd[17549]: synchronized to 71.26.2.221, stratum 1
Apr 16 16:50:00 server ntpd[17549]: synchronized to 10.0.77.54, stratum 

How to: Detect ARP Spoofing under UNIX or Linux

Q. I would like to know - how do I detect ARP spoofing? I am using Debian Linux.

A. Use arpwatch command to keeps track for ethernet/ip address pairings. It logs message or activity to syslogs and reports certain changes via email.

Arpwatch uses pcap to listen for arp packets on a local ethernet interface.

Install arpwatch

Use apt-get command under Debian / Ubuntu Linux:
# apt-get install arpwatch
OR
$ sudo apt-get install arpwatch

arpwatch command examples

You can watch particular interface with command:
# arpwatch -i eth0

You will notice syslog entries as follows /var/log/syslog file (or /var/log/message file) when changes are made i.e MAC/IP address pair is changed:
# tail -f /var/log/syslogOutput:

Nov 10 15:59:34 debian arpwatch: new station 192.168.1.2 0:17:9a:a:f6:44 eth0

Above entry displays new workstation. If changes are made you should see something as follows:

Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6
(0:17:9a:a:f6:44)

You can also use arp -a command to display current ARP table:
$ arp -a