Perl's LWP interferes with system logging

Nov 12, '02 08:16:23AM

Contributed by: Brian Kendig

I was having an odd problem where nothing was being written to my system logs. /var -> log -> system.log was zero-length every day, and then every night it would be compressed (resulting in a 33-byte .gz file!) and a new zero-length system.log would be created, and nothing would be written to that all day either. I immediately suspected hackers -- one of the easiest ways that hackers cover their tracks is to mess with the system logs to hide what they've been doing.

So I asked on Usenet, and Heath Raftery explained to me what the problem was. I've been using Perl on this Mac, and I installed LWP a while ago, and I hadn't realized that it overwrote my 'head' executable just as described in this hint. It turns out that having 'head' replaced with the wrong file will foul up the nightly log rotation and prevent anything from being written to the system.log.

The easiest way to tell if you have the wrong head installed is to type file /usr/bin/head. If it says Mach-O executable ppc, then you have the correct 'head'. If it says perl commands text, then your 'head' was overwritten by LWP.

hmelton's 'head restoration' tip explains how to fix your 'head' by recompiling the correct one from the Darwin source code. If you have another Mac that you haven't installed LWP on, you can just copy 'head' from it, as long as you make sure the permissions and ownership are set correctly.

I fixed my 'head', and now my system log is being written to correctly after being rotated. There are probably lots of jokes one can come up with about this, but I'll leave that to the comments...

[Editor's note: Be nice, people! :-)]

Comments (3)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20021112051623403