Tuesday, January 18, 2011

Is there a safe way to force an IIS log file rollover on a production web server?

I often have to look at problems on live web servers, would like to know if there is a safe way to force an IIS log file rollover on a production server.

From serverfault Luke Girvin

  • Are you sure about this, I've been supporting IIS web farms for years and had no issues with copying the current IIS log file to get all entries up to that point....(IIS 4,5,6 and 7)

    How are you copying them?

    Luke Girvin : I often use Symantect pcAnywhere to copy the files, so perhaps it's something peculiar to that program that's causing me problems. I'll edit the question slightly but I'd still like to know if there's a way to force a log file rollover, this sort of functionality is common in the UNIX world and SQL Server also has it.
    From Daed

  • You could try temporarily changing the log file rollover settings, as described here:

    http://technet.microsoft.com/en-us/library/cc754615(WS.10).aspx

    Once the logs have rolled over, revert to your previous settings.

    From blueberryfields
Posted by Mu Cat at 5:59 AM 0 comments

Mysqlhotcopy message: audit_log_user_command(): Connection refused

Im trying backup db. It works but give this message before backup process:

audit_log_user_command(): Connection refused

what this means?

From serverfault $pageUsers[$entry.posts[0].author].name

  • This is a sudo error.
    How are you running mysqlhotcopy ?

    From Marcel

  • This is an issue with sudo. Update to latest version.

    From
Posted by Mu Cat at 5:59 AM 0 comments

How do you add a site to the Internet Explorer Trusted Zone through GPO in server 2003?

How do you add a site to the Internet Explorer Trusted Zones through GPO in server 2003?

If you do push a site through a GPO does it erase other Trusted Sites that may have been entered on the end users computer?

Thank You,
Keith

From serverfault Keith Sirmons

  • To set a trusted site, in Group Policy editor: Navigate to
    User Config\Admin Templates\Windows Components\Internet Control Panel\Security Page\

    Policy: Site to Zone Assignment List

    Any site you add to the list with a value to 2, will be in the trusted sites zone.

    I think it will merge with existing sites if you have not locked down the zone

    see Internet Explorer security zones registry entries for advanced users

    and Group Policy and Internet Explorer 8

    Keith Sirmons : Thank you... I was typing my answer and didnt see yours.
    From Jim B

  • This does clear all the users prevoiusly added sites to ALL their securitys lists.

    1. Open Group Policy Manager
    2. Create New GPO and Link it.
    3. Edit GPO.
    4. Browse to User Config -> Admin Temp -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
    5. Open "Site to Zone Assignment List"
    6. Enable it
    7. Click Show and add your site name and the value 2 for the Trusted Zones list

    Keith

    From Keith Sirmons
Posted by Mu Cat at 5:59 AM 0 comments

Enable live streaming on website

I have a server colocated in a datacentre (dedicated 1Gbit line, SSDs, etc.) running CentOS 5.4 64-bit.

I want to stream live video from a device (webcam, camcorder, whatever.) to my server which inturn can re-broadcast it on demand through a flash player (such as Flowplayer) so that more users will be able to watch the stream since the server is quite fast.

Does a solution like this exist already (streaming software from live source to flash media server) or will I need to hire someone to code it? I see that VLC has an option to stream video.. will that be suitable in this case? Or is there a better way to do it? I don't want a browser based solution on my end. It'll be great if this can be done without running an X server but I don't mind either way. This will be running on a dedicated PC at home.

From serverfault $pageUsers[$entry.posts[0].author].name
Posted by Mu Cat at 5:59 AM 0 comments

Access rights escalation requiring multiple sysadmin authorisation

I was just wondering if there is a way to give a user root access escalation on a *nix system, kind of like sudo, but which requires more than one sysadmin authorisation. I am thinking of something sort of like how a self-destruct command on a starship requires multiple command-level authorisations.

From serverfault sybreon

  • There's nothing like this, by default, but SELinux and and Posix ACLs might be able to be leveraged by denying everyone root except in cases where multiple tokens (or files, or processes, or whatever) exist and are owned by the proper people. Sort of like an even more complicated use of semaphores.

    Check out this article in Linux Journal about making root unprivileged.

    BTW, in case you didn't know, you're meddling in Deep Magic.

    troyengel : deep, deep bayou voodoo magic. there is a man with a skull and tooth necklace standing over you as you attempt to continue... :)
    From Matt Simmons

  • Maybe you could abuse a securid token by setting up the root account with the token. Then give the token to the "partially trusted person number 1 (manager)" and the PIN to "partially trusted person number 2 (admin)". Partially trusted person number 2 has to phone trusted person number 1. and ask him the number on the display of the token. That way 1 and 2 have to come together to make it possible to log in. I'd be a bit wary of relying on it, though you could put 2 locks on the door of an office and issue the keys to the semi-trusted parties who would again need to come together to open the office to get at the secure workstation?

    I wouldn't be surprised if there are bits bolted onto some operating systems that do this but you'll probably have to join an organisation where you are expected to salute and say "Sir" a lot before you can use them.

    This blog entry by someone who designed/built just such a system is interesting: Dr Rick (Crypto)Smith Blog

    From davey
Posted by Mu Cat at 5:59 AM 0 comments

Forum Solution in Ruby or Python

I need to find a suitable forum in Ruby or Python for my company's web site. I've been given the following general criteria:

  1. Data Migration: How do they store the data? Preferably in database not flat files.
  2. User Management: Need to be able to do single login via our own current LDAP
  3. Email Integration: -- Daily Digest Checkbox, etc. -- RSS Feeds
  4. Language: Ruby/Rails or Python (our current single sign on LDAP is in Python)
  5. Easy to skin (CSS, etc.)
  6. Not phpbb (management's decision)

Any suggestions, stories from the trenches, etc.?

From serverfault Rob
Posted by Mu Cat at 5:59 AM 0 comments

pop3 IIS 6 , allow remote connections

I'm using a EC2 windows 2003 instance. I managed to install pop3 and i can connect to it locally (using outlook express with the remote desktop) and the server address is the machine name. I also added MX record on the DNS (mail.mydomain.com) but still i can't connect to the pop3 server remotely using either mail.mydomain.com or even the server IP.

From serverfault $pageUsers[$entry.posts[0].author].name

  • The first thing that comes to mind is your firewall, have you opened port 110 on your firewall?

    From Sam Cogan
Posted by Mu Cat at 5:59 AM 0 comments

Avg. Disk Queue Length counter when using external RAID enclosure?

I realize that many are recommending that we look at other counters like sec/Read and sec/Write instead of Avg. Disk Queue Length. However, I have a question about this particular counter:

It's typically recommended that Avg. Disk Queue Length not be greater than 2. Just as often I'll see that it should not be greater than 2 + the number of spindles in the "physical disk." This is what I'm curious about. If I'm using an external RAID system, doesn't the OS see it as one physical spindle? Would I still factor in the number of physical spindles in the array when using this counter? Some insight into how this works would be helpful.

From serverfault Boden

  • The OS doesn't do any fancy calculation. I speculate here, but given how performance counters work in generals I guess it just going to increment the counter and the base counter when it posts the IO, decrement the counter when the IO returns. The performance counter type being defined as 'Average', the performance tools and libraries will do computation from the raw values (counter, base counter) and the time between samples and the result will the be counter value you see.

    Nowhere in this process does the physical structure of the RAID array come into picture. So when you evaluate the value, you must factor in the number of spindles and consider it accordingly when deciding if the value is high or low. If the external RAID has 100 spindles, then an avg of 200 requests pending is a good one, it measn all 100 spindles have something to chew on. If it has 10 spindles though, the average queue of 200 means that each spindle is looking at 19 more requests pending after is done with the current one, on average, so the I/O is bottleneck.

    John Gardeniers : +1 Other than software RAID the OS knows nothing about the number of spindles. That's a user supplied piece of the puzzle. In this context an external RAID array is no different to an internal hardware RAID array.
    Boden : Thanks Remus, the explanation in your second paragraph was exactly what I needed. I think I understand now!
    From Remus Rusanu

  • divide the queue length by number of used spindles. take into account hot spares and parity depending on your RAID config.

    From $pageUsers[$post.author].name
Posted by Mu Cat at 5:59 AM 0 comments

Looking for ~3ft RJ-11 patch cords

Does anyone know where I can find short telephone patch-cords? I've found 6ft cords and 8in cords but nothing in between.

From serverfault BCS
Posted by Mu Cat at 5:59 AM 0 comments

Stop single NLB node at command line

We have a NLB cluster set up for our public web servers. I'm trying to stop the "localhost" in the cluster from the command line using NLB.EXE. When I write "nbl stop" it seems that all nodes are stopped but I only want the local node (the server I'm running the command prompt on) to be stopped in the cluster.

When I try specifying the node using the command "nlb stop 192.168.182.104:HOSTNAME" it fails, saying "Did not receive response from the cluster".

Am I not specifying the cluster and the host correctly?

From serverfault Patrik Hägne
Posted by Mu Cat at 5:59 AM 0 comments

Power and fans but no post, no nothing...sometimes

I'm troubleshooting a laptop. If I let it sit for a couple hours and turn it on, I get a post message, and it boots up just fine. However, if I turn the computer off then back on or reboot, it has power and the fans turn on, but I get no post message. I can't even turn on caps lock. It does poll the CDROM, however, as that makes a noise.

I opened it up, swapped the RAM around, and then it booted just fine. However, a day later, the problem presented itself once again. So, I reopened it and unplugged and replugged the harddrive, and it booted just fine. But, then the problem came back upon reboot.

FWIW, it has Vista installed...but clearly this is not a software problem.

Any ideas on what the problem is? Does this sound likely to be a harddrive problem?

From serverfault Chad Johnson
Posted by Mu Cat at 5:59 AM 0 comments

How to quickly and easily set up and maintain VPN's ? (Have Juniper SSG-140)

Greetings!

We have an SSG-140 by Juniper (similar to a netscreen 25, just a newer version of ScreenOS and more physical ports).

I find setting up new VPN profiles to be a PITA. I have to follow a bunch of steps, test it out, etc etc.

I find running an SSH server is easier as far as new user set up (e.g. the user accounts are in active directory, and there are other easy tings about it.)

I really prefer the IPSec VPN, and prefer that the netscreen do all this work.

Currently I just have three VPN clients (one using a PC client, and two using dedicated netscreen boxes). I would like to support 3 more dedicated devices and a few more users.

How can I make this easy as pie to administer and manage?

Thanks!

From serverfault samsmith

  • We are handling 80+ vpns (site to site) on a SSG140 using Route based VPNs. We've set up a tunel interface for each VPN purpose, next it's mainly a three steps conf.

    • Setting up a routing entry
    • Setting up a AutokeyIKE and Gtw.
    • Modify/add the corresponding filtering rule or policy group object containing your remote Networks.

    Note that this can be achieved with dynamic peer addresses for VPN failover.

    Also with use Dialup Policy based Vpns for the roaming users.

    Hope this helps.

    From Maxwell
Posted by Mu Cat at 5:59 AM 0 comments

Per client DNS server assignment using Pfsense

I have a network where pfsense is the gateway. There are two sets of clients that I want. One where there will be some restrictions to the network (example, IM being blocked) and one network where there are no restrictions.

One easy way I thought about doing this was assigning the different domains different DNS servers. One set could use OpenDNS, the other could use Google's Public DNS. The set with OpenDNS would have the filter options on (using OpenDNS' dashboard, I can check block IM .... so I do not manually need to block login.oscar.aol.com, meebo.com, gmail chat ....etc).

So the problem is the DHCP server looks like it will only assign a single set of DNS servers to clients. Is there a way to set a per client assignment?

Is there a better way to obtain what I want to obtain. This is just a small home network. I do not need anything fancy, but I do need this functionality in one way or another.

From serverfault Trix

  • You can use the Captive Portal functionality of pfSense to force authentication, and then adjust the settings by user. It can be setup to use RADIUS to authenticate against AD.

    From tomjedrz
Posted by Mu Cat at 5:59 AM 0 comments

I want to downgrade my database from SQL 2005 to SQL 2000

I want to downgrade my database with all the views and stored procedures from SQL 2005 to SQL 2000 but the problem is that the views are not restored properly.

From serverfault $pageUsers[$entry.posts[0].author].name

  • Simply use something like RedGate SQL Compare and RedGate SQL DataCompare to synch the structure and database between different versions.

    Or altenaively more manual just script all objects in database within enterprise manager and create new db on sql 2005 using this. Then import/export the data between the two databases.

    Either method assumes you are not using any features brought in within sql2008.

    Thanks

    Shane

    From $pageUsers[$post.author].name

  • In SQL Server, there are concepts like database compatibility, database internal version and SQL Server version.

    SQL Server maintains lot of meta-data about the database (including the version it was created) in the master database's boot file and this information is read when you attach the database onto the server and checks against the version of the server. Note that this internal version is different than the version of the software like 2000, 2005 & 2008. When a lower version database is attached to a higher version (server) then immediately the internal version of the database is bumped and the restore/attach goes fine but when you attach the higher version database onto a lower then SQL Server fails the required validation. One of the reason is, the meta-data and the system internal tables and structures change from one SQL Server version to another and the lower versions can't handle the higher version structures.

    You can check this information very easily with the following command.

    DBCC DBINFO WITH TABLERESULTS

    You need to look for dbi_createVersion DBINFO STRUCTURE: DBINFO @0x467BEEE8 dbi_createVersion 655

    SQL Server 7.0 : 515 SQL Server 2000 : 539 SQL Server 2005 : 611/612 SQL Server 2008 : 655

    http://sqlblog.com/blogs/jonathan%5Fkehayias/archive/2009/07/28/database-version-vs-database-compatibility-level.aspx

    http://technet.microsoft.com/en-us/magazine/2008.08.sqlqa.aspx

    http://sankarreddy.spaces.live.com/Blog/cns!1F1B61765691B5CD!463.entry?sa=862852830

    Now coming back to your problem, you have to use SSIS or other third party tools to script the objects and data. But I have to ask you why are you planning to go back to 2000? Are you running into any issues? Share your thoughts and problems and it might be easier to fix them.

    From Sankar Reddy
Posted by Mu Cat at 5:59 AM 0 comments

Change Linux network setup

I'm working on some software, that runs on a Centos 5.xx installation. I'ts not allowed for our customers to log in to Linux, everything is done from Windows applications, developed by us.

So we have build a frontend for the user to configure network setup: Static/DHCP, ip-address, gateway, DNS, Hostname.

Right now I let the user enter the information in the Windows app, and then write it on the Linux server like this:

  • Write to /etc/resolv.conf: Nameserver
  • Write to /etc/sysconfig/network: Gateway and Hostname
  • Write to /etc/sysconfig/network-scripts/ifcfg-eth0: Ipaddress, Netmask, Bootproto(DHCP or Static) I also (after some time) found out that I was unable to send mail, unless I wrote in /etc/hosts: 127.0.0.1 Hostname

All this seems to work, but is there a better/easier way to do this?

Also, I read the network configuration nearly the same way, but if I use DHCP, I miss som information, for instance the Ip-address. I know that I can get some information from the commandline (ifconfig), but I dont get for instance Hostname, Gateway and DNS. Is there a commandline tool that will display this?

From serverfault Reiler

  • You're doing the right thing writing the information, but you'll need to go to the command line to read the information like you said.

    the IP is gotten from ip addr show <interface> or ip addr show all and parsing that. ifconfig is the slightly older command for this.

    The default gateway is gotten from ip route show as well (route show or netstat -rn gives you the same information in a different format - ip is the newer command for configuring this)

    DNS servers are practically always /etc/resolv.conf, so reading that should be fine. /etc/nsswitch.conf is where that is configured... by default /etc/hosts will override your DNS server settings.

    Hostname is gotten through running hostname

    From Phil

  • Webmin, probably. Although it being a web-based application I'm not sure it will work gracefully with all network configuration changes.

    From alex

  • Not sure I'm following the main part of your question, but the last part is fairly easy. There is not 1 program that displays all that you are looking for but, hostname displays the current hostname, netstat -r will display network routing data & the default gateway, if it is set. dig will display the currently used domain name server. Specifically:

    dig `hostname` | grep SERVER

    should return something like 

    ;; SERVER: 68.94.156.1#53(68.94.156.1)
    From $pageUsers[$post.author].name
Posted by Mu Cat at 5:59 AM 0 comments

Apache returns truncated image

I am bringing up an image directly through firefox (no PHP or other scripting code) and it appears that Apache is returning either a truncated image or a corrupted image.

I get the top 5-10% of the image. It appears that I get complete width and height info.

If I hit "refresh" (in firefox) I get about 5 more lines of the image. And if I hit refresh again I get another 5 lines.

In IE I get the same initial 5-10% of the top of the file. But refresh does not give me any more.

Bringing the image up across the network through a mapped-drive reveals the entire image. (so the image(s) itself seems to be okay).

(If I point firefox to the image via mapped-drive rather than through Apache firefox brings the image up just fine. So it does seem to be Apache at issue)

Any ideas?

From serverfault ChronoFish

  • What operating system is this on ? Is the file you are serving local to the server apache runs on, or is it also accessed over the network ?

    You could try the following directives in your Apache httpd configuration file to see whether it is due to problems using the sendfile-systemcall or MMAPing : 

    EnableSendfile Off
EnableMMAP Off

    (http://httpd.apache.org/docs/2.2/mod/core.html has more information on those)

    I have seen those two be the culprits before, though only if there was something funky going on with the storage subsystem. It is usually a bad idea to disable these, since it eats into performance.

    From eike
Posted by Mu Cat at 5:59 AM 0 comments

interesting IP's?

I had seen a very interesting IP (something like 1.0.0.4) that was of some root DNS server and responded to pings, but I can't remember the exact IP. Anyone?

From serverfault KnickerKicker

  • list of IP's for root servers is here

    Can't see anything like that.

    From Nick Kavadias

  • 8.8.8.8 and 8.8.4.4 - Google DNS.

    4.2.2.2 (actually .1-.6) - Verizon (ex-Bell Atlantic, ex-GTE) DNS.

    From ynguldyn

  • The whole of 1.0.0.0/8 (along with 2.0.0.0/8) is reserved for future used by IANA (for when they run out of IPv4 addresses basically), so it won't of been that.

    You might be thinking of the recent Google public DNS launch, they used 8.8.8.8 and 4.3.2.1 and respond to IP addresses, but the IP's wont relate to a single server so the responses will fluctuate.

    ceejayoz : Google also uses 8.8.4.4. I don't think they've publicly announced 4.3.2.1, so I wouldn't depend on it.
    From Ewan Leith
Posted by Mu Cat at 5:59 AM 0 comments

How can we configure IIS for domain name mapping

Hi,

I would like to configure IIS server at(windows server 2003) for domain name mapping.

We have purchased domain name for one of our newly created website. I would like to know how can i configure IIS so that anybody from outside world can reach wensite by typing url.

say http://xyz.com/ it should redirect at my website home page.

I have made website in using asp.net and oracle.

Please help me? If there is some tutorial/ link please forward me.

This is my first experience of hosting.

From serverfault $pageUsers[$entry.posts[0].author].name

  • You will need to configure your DNS settings for the domain you purchased so that the "A" record points to the IP address of your web server.

    Then you need to configure a website on your IIS server and specify the host header which matches up to the domain name you purchased.

    This tutorial should help: http://www.visualwin.com/host-header/

    From Samuurai
Posted by Mu Cat at 5:59 AM 0 comments

Moving from WebSphere to Oracle WebLogic, getting a ClassNotFoundException

I was given an "EAR" file and told to try to deploy it on an Oracle WebLogic server. I had successfully deployed it on a IBM WebSphere server. When I attempt to start it on WebLogic, however, I get the following error:

Could not load user defined listener: org.springframework.web.context.ContextLoaderListener java.lang.ClassNotFoundException: org.springframework.web.context.ContextLoaderListener at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:296) at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:269) at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:56) at java.lang.ClassLoader.loadClass(ClassLoader.java:307) at java.lang.ClassLoader.loadClass(ClassLoader.java:252) at weblogic.utils.classloaders.GenericClassLoader.loadClass(GenericClassLoader.java:177) at weblogic.utils.classloaders.ChangeAwareClassLoader.loadClass(ChangeAwareClassLoader.java:37) at

I've checked that spring.war is in WEB-INF/lib in the appropriate war files.

What am I missing?

From serverfault Paul Tomblin

  • If you want it to load libs from your WEB-INF/lib directory then you need to add something to your weblogic.xml file (this should be in WEB-INF).

    <weblogic-web-app>
   <container-descriptor>
      <prefer-web-inf-classes>true</prefer-web-inf-classes>
   </container-descriptor>
</weblogic-web-app>

    Hope that helps.

    From Tom Duckering
Posted by Mu Cat at 5:59 AM 0 comments
Subscribe to: Posts (Atom)