Which log file(s) to look for after server been down

system · February 18, 2006, 7:36am

Coming home from a 2 day business trip, I find all the services, Apache, Email, SSH, Nodeworx, etc. on my Redhat 9 server non responding. The server pinged fine.

After having Sago reboot my server everything worked fine, however now I would like to find out what the heck happened, and Sago told me to look in the /var/log folder for clues.

Being a Windows geek more than a Linux geek, I hope that someone can give me a hint as exactly where to look and for what. I mean which file or subfolder.

I did ask this to Sago but they coughed back their standard “Server not a managed server, so give us $50 bucks and we’ll tell you!”.

IWorx-Socheat · February 18, 2006, 7:59am

RWF,

Probably the first thing I would do is try to determine what time the services went down. That way, you have a general starting point when looking through all the various logs. Look for huge jumps in timestamps. Your best bet would be to look through the httpd logs first (/var/log/httpd/transfer.log), since an active web server will probably have log data every couple seconds.

Good luck!
Socheat

system · February 18, 2006, 8:34am

Just looked in that folder and there are no files with the name transfer.log, only access_log, error_log, ssl_error, suexec.log, ssl_request_log, ssl_scache.dir, and ssl_scache.pag

IWorx-Socheat · February 18, 2006, 8:44am

Sorry, I meant access_log.

system · February 19, 2006, 5:22pm

The access_log files contains little information, at least not useful information.

Out of the 5 files there where, the one that contained the mentioned date range looked like this (entire file):

199.203.56.234 - - [13/Feb/2006:06:05:27 -0500] “GET / HTTP/1.1” 404 -
199.203.56.234 - - [13/Feb/2006:06:05:28 -0500] “GET / HTTP/1.1” 404 -
194.72.238.62 - - [15/Feb/2006:05:31:06 -0500] “HEAD / HTTP/1.0” 404 -
194.72.238.62 - - [15/Feb/2006:09:09:45 -0500] “HEAD / HTTP/1.0” 404 -
194.72.238.62 - - [15/Feb/2006:12:09:40 -0500] “HEAD / HTTP/1.0” 404 -
194.72.238.62 - - [18/Feb/2006:03:01:41 -0500] “GET / HTTP/1.0” 404 -
194.72.238.62 - - [18/Feb/2006:03:14:39 -0500] “GET / HTTP/1.0” 404 -
194.72.238.62 - - [18/Feb/2006:05:55:41 -0500] “GET / HTTP/1.0” 404 -
194.72.238.62 - - [18/Feb/2006:16:49:35 -0500] “HEAD / HTTP/1.0” 404 -
194.72.238.62 - - [18/Feb/2006:20:43:08 -0500] “HEAD / HTTP/1.0” 404 -
194.72.238.62 - - [18/Feb/2006:23:49:35 -0500] “HEAD / HTTP/1.0” 404 -
194.72.238.62 - - [19/Feb/2006:02:55:10 -0500] “HEAD / HTTP/1.0” 404 -

How in the world can this sparesome information be used for ANYTHING?!? Not the least to tell me what went wrong on Wednesday around noon est!

Justec · February 19, 2006, 6:36pm

I would look in /var/log/messages or whatever your kernel log is for your system