invis.net

Plugin not loggin to auth.log any more

Im forcing your plugin to all my clients with wordpress installed. After yesterday it suddenly stopped writting to auth.log so fail2ban does not work any more.

Im currently in the process of stopping fail2ban as im moving to CSF, but im keeping the plugin running for the entries in the auth.log. I have multiple servers, but it seems that its only on that one server?

I cant seem to find what the hell is wrong here…

Welcome!

Let’s nail down a few basic details and I’ll have a better idea of where to start, so first things first - which OS? Web server? Version of PHP?

Obviously something has changed (being *nix of some sort it won’t just break itself, unless you’re unlucky enough to have been systemd'd) - any ideas what? Did it just update to WP 5.4.1?

HI,

Its an Ubuntu 18.04, Apache2 running php 7.4.5. but to be clear, those were already running before it suddenly stopped.

Its about 3 days ago that it suddenly stopped. the websites are all upgraded to WP 5.4.1 but so does it on my other servers and there it works beautifully. I did however changed the websites to ondemand instead of dynamic, but i dont see how that would affect the process.

some things i checked after creating this problem:

  • I’ve tested another php version, but it seems its on server level that its not working…

  • It seems everything else works as designed. I see SSHD, FTP and cronjob entries.

  • The right permissions are set on the file syslog:adm

  • I purged fail2ban but reinstalled it again to see if that was it (desperate i know).

  • enabled file debug WP. nothing.

OK, the first step is to work out if it’s a PHP+syslog or a PHP+Apache+syslog problem. If you run this from the command line:

php -r 'syslog(LOG_WARNING, "Hello, world!");'

the message should show up somewhere (on FreeBSD it ends up in /var/log/messages). If that works then it’s something Apache-related.

I’m assuming you’re not running syslog-ng or similar so my money is on systemd being the root cause of the problem, it’s “just” a question of working out what it’s unhappy about today.

I tried yours just now and only in apache2/access.log

i tried inserting some stuff yesterday in all known log vars with a php script noting…

$facilities = array(
LOG_AUTH,
LOG_AUTHPRIV,
LOG_CRON,
LOG_DAEMON,
LOG_KERN,
LOG_LOCAL0,
LOG_LPR,
LOG_MAIL,
LOG_NEWS,
LOG_SYSLOG,
LOG_USER,
LOG_UUCP,
);

for ($i = 0; $i < 10000; $i++) {
foreach ($facilities as $facility) {
openlog(‘test’, LOG_PID, $facility);
syslog(LOG_ERR, "This is a test: " . memory_get_usage(true));
}
}

Sounds like systemd-journald is eating the entries.

If you run journalctl -f in theory you should see everything it’s logging, including (hopefully!) your test messages. That’d be the next thing to check.

wel not the test php above. your hello, world yes…

Try adding:

closelog();

to your test.

no luck…

its breaking my balls…

Im on to something here. Its 99% CSF’s fault. I set restrict_syslog to 3 wich means only users in a certain conf file are allowed to log. Documentation said to revert the settings set it to 0 or 2. This did not revert settings but kept honoring the conf file. I’ve also added a support question in the CSF forum.

BTW you should broden your horizon to include CSF with your plugin. there are already people using your plugin with CSF.

You may have to reset the permissions on /dev/log, usually you can do:

chmod 666 /dev/log
chown root:root /dev/log

this should result in:

# ls -la /dev/log
srw-rw-rw- 1 root root 0 May  8 11:22 /dev/log

and its all good now even though nothing has changed… it somehow needed a boost.

I’m glad you got it working again, but that sounds more like a workaround than a true fix. Still, it’s a place to start for the next person - thanks for reporting what worked!