Atomicorp

I was a bit surprised to find qmail-scanner related eroor messages in Apache's /var/log/httpd/error_log

getservbyname failed for tcp at /var/qmail/bin/qmail-scanner-queue.pl line 2985
udp connect: nobody listening at /var/qmail/bin/qmail-scanner-queue.pl line 2985

Note that these messages are not timestamped, while other lines in error_log are.

Does anyones have any idea what's going on here?

None whatsoever, thats really bizzare

Just some ideas, I dont have a clue.
Do you use some kind of syslog tool? Maybe thats catching it?
Or maybe it's perl related?

yeah its something appending to the file. Definitely not through apache, do you have a lot of them?

Not a lot, but a couple every day on the server where I first saw this:

# grep -c 'getservbyname failed for tcp' /var/log/httpd/error_log*
/var/log/httpd/error_log:13
/var/log/httpd/error_log.1:4
/var/log/httpd/error_log.2:6
/var/log/httpd/error_log.3:7
/var/log/httpd/error_log.4:0

Grepping for the other message shows the same counts.

I see this behavior on at least four different servers, all of them CentOS 4 (none of our CentOS 5 servers show this), Plesk 9.5.3 (but also from when they were still on 9.5.2), both 32 and 64 bit. None of them have high counts, just a handful per log file.

Have you got any timestamped events bracketing those? Maybe that could be used to look up against the qmail-queue logs.

breun wrote:I was a bit surprised to find qmail-scanner related eroor messages in Apache's /var/log/httpd/error_log

getservbyname failed for tcp at /var/qmail/bin/qmail-scanner-queue.pl line 2985
udp connect: nobody listening at /var/qmail/bin/qmail-scanner-queue.pl line 2985

Note that these messages are not timestamped, while other lines in error_log are.

Does anyones have any idea what's going on here?

It sounds like a failed DNS lookup attempt. It might have something to do with an Apache process calling qmail-inject to send a message, failing the DNS lookup for sending the message and erroneously logging it to the Apache log.

Line 2985 of /var/qmail/bin/qmail-scanner-queue.pl is:
It looks like qmail-scanner is trying to log a message to syslog here, but somehow the message ends up in the httpd error_log.

I think prupert is on to something there with a web application is invoking qmail-inject directly.

Then its saying "ok log this event" but whatever hostname variable (or perhaps no hostname) its using doesnt resolve and therefore the syslog fails. Apache picks that up to error_log

I don't think many scripts will invoke qmail-inject directly, but I can have a look. Could this also be the result of a PHP mail() call or something like that?

definitely worth investigating, especially if its something that invokes it with a hostname variable that is null or invalid.

I think clients are probably sending out newsletters to addresses that contain mistyped hostnames and other mistakes. We'll see if we can reproduce this issue by sending messages to invalid hostnames from a web page. I guess I'll probably need to bring this up with the qmail-scanner devs if that triggers it.

I think its the hostname variable being passed to qmail-scanner that it uses to figure out where syslog is.