cancel
Showing results for 
Search instead for 
Did you mean: 

Access Logs Appended to /var/log/messages on Only One Appliance in Cluster

Jump to solution

Well, this is one for the MWG and Linux logging L33T's.

I haven't the time to pick at this one alone, at least not today.  So, I thought I'd toss it out for the curiosity that it is.

Found alerts for /var/log running low.  Did my df's and du's to find massive sizes for /var/log/messages.  A peek inside and I find my access logs (proxy requests)--which definitely don't belong there and certainly not on that file system.  But, this is only happening on one appliance--in a cluster of four (our test environment).

After cleaning out some of the rotated messages files to recover some space, I rebooted it.  After which, a tail -f shows new access logs still being appended.

I verified that logging configurations were identical across the appliances.

Until I can make time to do a deep dive, I'll be cleaning out the rotated messages files as the alerts resume.

Until then, I'm open to any quick pokes at it that anyone can suggest.

Thanks in advance.

1 Solution

Accepted Solutions
Highlighted

Re: Access Logs Appended to /var/log/messages on Only One Appliance in Cluster

Jump to solution

Fixed.  To be clear, for future posterity, what I ended up doing was this:

I went to the settings for "File System Logging" (actually, by way of the logging rule) suspected of being the culprit and I toggled a couple of check boxes (log buffering and header writing), and hit save changes.  I immediately re-toggled those settings and hit save changes again.

A tail -f messages shows:

Jun  4 03:37:01 SFC1A rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="11576" x-info="http:/                                                                                                                                 /www.rsyslog.com"] (re)start

But, no more access logs, thankfully.

(And, it's under configuration > appliances that I find the time stamps.)

Thanks for the tip.

View solution in original post

2 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Access Logs Appended to /var/log/messages on Only One Appliance in Cluster

Jump to solution

I would try two things, modify the rsyslog.conf file in the GUI again, then save changes (to apply it again)

or check to see if the Cluster is in Sync (configuration > cluster, then check the configuration timestamps to make sure the nodes are in sync)

Highlighted

Re: Access Logs Appended to /var/log/messages on Only One Appliance in Cluster

Jump to solution

Fixed.  To be clear, for future posterity, what I ended up doing was this:

I went to the settings for "File System Logging" (actually, by way of the logging rule) suspected of being the culprit and I toggled a couple of check boxes (log buffering and header writing), and hit save changes.  I immediately re-toggled those settings and hit save changes again.

A tail -f messages shows:

Jun  4 03:37:01 SFC1A rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="11576" x-info="http:/                                                                                                                                 /www.rsyslog.com"] (re)start

But, no more access logs, thankfully.

(And, it's under configuration > appliances that I find the time stamps.)

Thanks for the tip.

View solution in original post

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community