On 5/6/06, Ventz Petkov <[EMAIL PROTECTED]> wrote:
Has anyone noticed double entries (in the authlog for example) from syslog?
...
May 6 17:41:31 name sshd[19987]: Failed password for root from 10.0.0.X port 49670 ssh2 May 6 17:41:31 name sshd[3448]: Failed password for root from 10.0.0.X port 49670 ssh2
One is from the sshd process that chrooted to /var/empty and setuid to the sshd user, the other is from the one that remained root. It would be preferable if only one log statement was generated, of course, but that would be a matter for someone you knows that code.
The funny thing is that if I kill syslog and start it myself everything is fine.
When you started syslogd yourself, did you remember to pass it all the arguments that /etc/rc does? In particular, did you pass it "-a/var/empty/dev/log" and "-a /var/named/dev/log"? If not, the privilege-separated processes running in /var/empty won't be able to log. Philip Guenther
