2 Replies Latest reply on Jun 7, 2017 8:37 AM by johnaldridge

    Access Logs Appended to /var/log/messages on Only One Appliance in Cluster

    johnaldridge

      Well, this is one for the MWG and Linux logging L33T's.

       

      I haven't the time to pick at this one alone, at least not today.  So, I thought I'd toss it out for the curiosity that it is.

       

      Found alerts for /var/log running low.  Did my df's and du's to find massive sizes for /var/log/messages.  A peek inside and I find my access logs (proxy requests)--which definitely don't belong there and certainly not on that file system.  But, this is only happening on one appliance--in a cluster of four (our test environment).

       

      After cleaning out some of the rotated messages files to recover some space, I rebooted it.  After which, a tail -f shows new access logs still being appended.

       

      I verified that logging configurations were identical across the appliances.

       

      Until I can make time to do a deep dive, I'll be cleaning out the rotated messages files as the alerts resume.

       

      Until then, I'm open to any quick pokes at it that anyone can suggest.

       

      Thanks in advance.

        • 1. Re: Access Logs Appended to /var/log/messages on Only One Appliance in Cluster
          Jon Scholten

          I would try two things, modify the rsyslog.conf file in the GUI again, then save changes (to apply it again)

           

          or check to see if the Cluster is in Sync (configuration > cluster, then check the configuration timestamps to make sure the nodes are in sync)

          • 2. Re: Access Logs Appended to /var/log/messages on Only One Appliance in Cluster
            johnaldridge

            Fixed.  To be clear, for future posterity, what I ended up doing was this:

             

            I went to the settings for "File System Logging" (actually, by way of the logging rule) suspected of being the culprit and I toggled a couple of check boxes (log buffering and header writing), and hit save changes.  I immediately re-toggled those settings and hit save changes again.

             

            A tail -f messages shows:

            Jun  4 03:37:01 SFC1A rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="11576" x-info="http:/                                                                                                                                  /www.rsyslog.com"] (re)start

             

            But, no more access logs, thankfully.

             

            (And, it's under configuration > appliances that I find the time stamps.)

             

            Thanks for the tip.