View previous topic :: View next topic |
Author |
Message |
mariourk l33t
Joined: 11 Jul 2003 Posts: 807 Location: Urk, Netherlands
|
Posted: Thu Sep 08, 2005 7:37 am Post subject: Syslog, very large logfiles [solved] |
|
|
I have a problem with syslog. The file /var/log/syslog is loaded with lots of crab. This goes
so fast that the harddisk is full in a few days wich means trouble. I don't even know what the
stuff means, if this is normal and where is comes from. So if anyone can tell me....
This is what /var/log/syslog looks like:
Code: |
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_OUT:IN= OUT=eth1 SRC=10.0.0.150 DST=84.58.160.181 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1689 DF PROTO=TCP SPT=20 DPT=4486 WINDOW=16022 RES=0x00 ACK URGP=0
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_IN:IN=eth1 OUT= MAC=00:02:b3:28:3e:72:00:50:18:2a:d2:ce:08:00 SRC=84.58.160.181 DST=10.0.0.150 LEN=1460 TOS=0x00 PREC=0x00 TTL=118 ID=8123 DF PROTO=TCP SPT=4486 DPT=20 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_OUT:IN= OUT=eth1 SRC=10.0.0.150 DST=84.58.160.181 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1691 DF PROTO=TCP SPT=20 DPT=4486 WINDOW=16022 RES=0x00 ACK URGP=0
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_IN:IN=eth1 OUT= MAC=00:02:b3:28:3e:72:00:50:18:2a:d2:ce:08:00 SRC=84.177.233.59 DST=10.0.0.150 LEN=1480 TOS=0x00 PREC=0x00 TTL=117 ID=53737 DF PROTO=TCP SPT=3961 DPT=65300 WINDOW=33120 RES=0x00 ACK URGP=0
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_IN:IN=eth1 OUT= MAC=00:02:b3:28:3e:72:00:50:18:2a:d2:ce:08:00 SRC=84.58.160.181 DST=10.0.0.150 LEN=1492 TOS=0x00 PREC=0x00 TTL=118 ID=8126 DF PROTO=TCP SPT=4486 DPT=20 WINDOW=64240 RES=0x00 ACK URGP=0
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_IN:IN=eth1 OUT= MAC=00:02:b3:28:3e:72:00:50:18:2a:d2:ce:08:00 SRC=84.58.160.181 DST=10.0.0.150 LEN=1492 TOS=0x00 PREC=0x00 TTL=118 ID=8127 DF PROTO=TCP SPT=4486 DPT=20 WINDOW=64240 RES=0x00 ACK URGP=0
Sep 8 09:30:16 gbugroep kernel: BANDWIDTH_OUT:IN= OUT=eth1 SRC=10.0.0.150 DST=84.58.160.181 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=1693 DF PROTO=TCP SPT=20 DPT=4486 WINDOW=16022 RES=0x00 ACK URGP=0
|
And that's just a small fragment.
I've solved this quickly by commenting out the syslog file in /etd/syslog.conf
Code: |
#*.*;auth,authpriv.none -/var/log/syslog
|
Could anyone tell me how to fix this the right way. For example, can I configure syslog so it won't log
that kind of stuff. I have the feeling syslog is logging on debuglevel or something...
If someone know how to rotate the logfiles daily or weekly, I would also be happy to hear it.
Thanks anyway _________________ If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all.
Last edited by mariourk on Wed Sep 21, 2005 9:11 am; edited 1 time in total |
|
Back to top |
|
|
chrib Guru
Joined: 27 Sep 2003 Posts: 558 Location: Berlin, Germany
|
Posted: Thu Sep 08, 2005 7:56 am Post subject: Re: Syslog, very large logfiles |
|
|
mariourk wrote: | If someone know how to rotate the logfiles daily or weekly, I would also be happy to hear it.
|
Take a look at app-admin/logrotate.
HTH _________________ Der Mensch kämpft um zu überleben, und nicht, um zu Grunde zu gehen. - Paulo Coelho
It is the end of all hope. To lose the child, the faith. To end all the innocence. To be someone like me. - Nightwish - End of all hope |
|
Back to top |
|
|
quag7 Apprentice
Joined: 12 Aug 2002 Posts: 288 Location: Marana, Arizona - USA
|
Posted: Thu Sep 08, 2005 12:50 pm Post subject: |
|
|
That's iptables stuff. See if you have a firewall script that runs with lots of LOG statements. Then remove them (better idea: comment them out so you can use them in the future) if you don't want them logged. I don't know what kinds of things you want to monitor, if anything. The statements might look something like this:
Code: | /sbin/iptables -A INPUT -i eth0 -p tcp -m limit --dport 22 --limit 10/minute -j LOG --log-level notice --log-prefix UNAUTH_SSH-- |
The other option is using logrotate to flip these daily, as mentioned.
Alternately if you want to keep logging iptables stuff you can direct it to its own file via klogd, your kernel log daemon which handles the iptables entries. I don't have a Gentoo box running with iptables, but in Debian, it's a matter of editing the /etc/init.d/klogd script and adding something like this:
Code: | KLOGD="-c 2 -f /var/log/iptables" |
This will dump other kernel logging stuff in there as well but if you have a healthy kernel and you're not logging at DEBUG level (Never tried this) there's very little else that will wind up in there. Then you'd want to add a logrotate entry for the iptables log, probably. _________________ http://www.dataswamp.net |
|
Back to top |
|
|
mariourk l33t
Joined: 11 Jul 2003 Posts: 807 Location: Urk, Netherlands
|
Posted: Wed Sep 14, 2005 3:04 pm Post subject: |
|
|
There where indeed several LOG entries in iptables. One of my co-workers put
it there to find a problem and forgot to remove them.
But after removing those entries syslog is still logging the same junk like crazy.
Can anyone tell me where it could come from? _________________ If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all. |
|
Back to top |
|
|
mariourk l33t
Joined: 11 Jul 2003 Posts: 807 Location: Urk, Netherlands
|
Posted: Wed Sep 21, 2005 9:10 am Post subject: |
|
|
It turned out I missed a few lines. After removing all of them it workes fine again _________________ If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|