Re: Anomali on /var available space
Hi Vadim, Thx for your reply Problem solve after I restart pflogd New problem is Why the pflogd process almost use 100% capacity of my /var ? My pf manage queue bandwidth for just 100 users. Thx Kabayan --- On Fri, 3/26/10, Vadim Zhukov persg...@gmail.com wrote: From: Vadim Zhukov persg...@gmail.com Subject: Re: Anomali on /var available space To: misc@openbsd.org Date: Friday, March 26, 2010, 1:33 AM On 26 March 2010 c. 10:17:30 Kabayan wrote: Dear misc, I got anomaly available space of my system. I have different output between df and du $ df -h /var/ Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0d 29.5G 29.5G -1.5G 105%/var $ df -kP /var Filesystem 1024-blocks Used Available Capacity Mounted on /dev/wd0d 30964722 30964034-1547548 105% /var $ sudo du -sh /var 30.3M /var On message: Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full I used: OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010 Some program(s) removed but not closed its files. Dive in in the fstat output. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Anomali on /var available space
On 27 March 2010 G. 13:51:26 Kabayan wrote: Hi Vadim, Thx for your reply Problem solve after I restart pflogd New problem is Why the pflogd process almost use 100% capacity of my /var ? My pf manage queue bandwidth for just 100 users. Probably it doesn't receive SIGHUP upon log rotation? How do you rotate /var/log/pflog? --- On Fri, 3/26/10, Vadim Zhukov persg...@gmail.com wrote: From: Vadim Zhukov persg...@gmail.com Subject: Re: Anomali on /var available space To: misc@openbsd.org Date: Friday, March 26, 2010, 1:33 AM On 26 March 2010 c. 10:17:30 Kabayan wrote: Dear misc, I got anomaly available space of my system. I have different output between df and du $ df -h /var/ Filesystem Size UsedAvail Capacity Mounted on /dev/wd0d 29.5G29.5G-1.5G105% /var $ df -kP /var Filesystem 1024-blocks UsedAvailable Capacity Mounted on /dev/wd0d 3096472230964034 -1547548105%/var $ sudo du -sh /var 30.3M/var On message: Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full I used: OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010 Some program(s) removed but not closed its files. Dive in in the fstat output. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Anomali on /var available space
On Sat, Mar 27, 2010 at 06:51:26PM +0800, Kabayan wrote: Hi Vadim, Thx for your reply Problem solve after I restart pflogd New problem is Why the pflogd process almost use 100% capacity of my /var ? You wrote pf.conf, so you are telling pflogd what's needs to be logged. You cannot blame pflogd for that. -Otto My pf manage queue bandwidth for just 100 users. Thx Kabayan --- On Fri, 3/26/10, Vadim Zhukov persg...@gmail.com wrote: From: Vadim Zhukov persg...@gmail.com Subject: Re: Anomali on /var available space To: misc@openbsd.org Date: Friday, March 26, 2010, 1:33 AM On 26 March 2010 c. 10:17:30 Kabayan wrote: Dear misc, I got anomaly available space of my system. I have different output between df and du $ df -h /var/ Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0d 29.5G 29.5G -1.5G 105%/var $ df -kP /var Filesystem 1024-blocks Used Available Capacity Mounted on /dev/wd0d 30964722 30964034-1547548 105% /var $ sudo du -sh /var 30.3M /var On message: Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full I used: OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010 Some program(s) removed but not closed its files. Dive in in the fstat output. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Anomali on /var available space
Kabayan kab4...@yahoo.com writes: Problem solve after I restart pflogd New problem is Why the pflogd process almost use 100% capacity of my /var ? My guess would be that your pf.conf logs traffic with log (all) on at least one rule that matches a lot of traffic, and possibly your newsyslog.conf does not implement a very aggressive log rotation schedule. Logging all packets is not all that useful unless you're deep in debugging something. If you want to do traffic accounting, it's easier to either use labels and extract the values at intervals, or set up with pflow (set state-defaults pflow) and collect the netflow data somewhere with enough disk space to slice and dice the data separately. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Anomali on /var available space
On Sat, 27 Mar 2010 13:09 +0100, Peter N. M. Hansteen pe...@bsdly.net wrote: Kabayan kab4...@yahoo.com writes: Problem solve after I restart pflogd New problem is Why the pflogd process almost use 100% capacity of my /var ? My guess would be that your pf.conf logs traffic with log (all) on at least one rule that matches a lot of traffic, and possibly your newsyslog.conf does not implement a very aggressive log rotation schedule. Logging all packets is not all that useful unless you're deep in debugging something. I occasionally log packets that pf blocks (just to see who is poking around). Normally, that's about 100K per hour and only 4 old logs are kept so a small /var is OK most of the time. Then one day, some new network gear was installed that messed-up the layer 2 bridging and introduced a loop and STP stopped working. From that came a huge broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never seen that many packets in that short amount of time. I still log pf blocks and 99% of the time, it's OK. Brad
Re: Anomali on /var available space
Brad Tilley b...@16systems.com writes: network gear was installed that messed-up the layer 2 bridging and introduced a loop and STP stopped working. From that came a huge broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never seen that many packets in that short amount of time. I still log pf blocks and 99% of the time, it's OK. Heh. Loops can be fun (fsvo) for sure. I also tend to put a block log at the top of rule sets, if only to peek at occasionally to see how much crazy stuff gets aimed at you. But then the OP's problem of /var filling up quickly fit my hazy memories of one time I put in way to much log (all) in a config. The difference in space consumption between log and log (all) is rather significant. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Anomali on /var available space
On 26 March 2010 c. 10:17:30 Kabayan wrote: Dear misc, I got anomaly available space of my system. I have different output between df and du $ df -h /var/ Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0d 29.5G 29.5G -1.5G 105%/var $ df -kP /var Filesystem 1024-blocks Used Available Capacity Mounted on /dev/wd0d 30964722 30964034-1547548 105% /var $ sudo du -sh /var 30.3M /var On message: Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended: fwrite: No space left on device Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full I used: OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010 Some program(s) removed but not closed its files. Dive in in the fstat output. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?