Re: Anomali on /var available space

[Kabayan]

Hi Vadim,

Thx for your reply

Problem solve after I restart pflogd
New problem is Why the pflogd process almost use 100% capacity of my /var ?

My pf manage queue bandwidth for just 100 users.

Thx

Kabayan



--- On Fri, 3/26/10, Vadim Zhukov persg...@gmail.com wrote:

From: Vadim Zhukov persg...@gmail.com
Subject: Re: Anomali on /var available space
To: misc@openbsd.org
Date: Friday, March 26, 2010, 1:33 AM

On 26 March 2010 c. 10:17:30 Kabayan wrote:
 Dear misc,

 I got anomaly available  space of my system.
 I have different output between df and du

 $ df -h /var/
 Filesystem SizeUsed   Avail Capacity  Mounted on
 /dev/wd0d 29.5G   29.5G   -1.5G   105%/var

 $ df -kP /var
 Filesystem  1024-blocks   Used   Available Capacity Mounted on
 /dev/wd0d  30964722   30964034-1547548   105%   /var

 $ sudo du -sh /var
 30.3M   /var

 On message:
 Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
 Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
 fwrite: No space left on device
 Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
 Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
 fwrite: No space left on device
 Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full

 I used:
 OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010

Some program(s) removed but not closed its files. Dive in in the fstat
output.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: Anomali on /var available space

[Vadim Zhukov]

On 27 March 2010 G. 13:51:26 Kabayan wrote:
 Hi Vadim,

 Thx for your reply

 Problem solve after I restart pflogd
 New problem is Why the pflogd process almost use 100% capacity of my
 /var ?

 My pf manage queue bandwidth for just 100 users.

Probably it doesn't receive SIGHUP upon log rotation? How do you
rotate /var/log/pflog?

 --- On Fri, 3/26/10, Vadim Zhukov persg...@gmail.com wrote:

 From: Vadim Zhukov persg...@gmail.com
 Subject: Re: Anomali on /var available space
 To: misc@openbsd.org
 Date: Friday, March 26, 2010, 1:33 AM

 On 26 March 2010 c. 10:17:30 Kabayan wrote:
  Dear misc,
 
  I got anomaly available space of my system.
  I have different output between df and du
 
  $ df -h /var/
  Filesystem Size  UsedAvail Capacity Mounted on
  /dev/wd0d 29.5G29.5G-1.5G105%  /var
 
  $ df -kP /var
  Filesystem 1024-blocks  UsedAvailable Capacity Mounted on
  /dev/wd0d   3096472230964034  -1547548105%/var
 
  $ sudo du -sh /var
  30.3M/var
 
  On message:
  Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
  Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
  fwrite: No space left on device
  Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
  Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
  fwrite: No space left on device
  Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full
 
  I used:
  OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010

 Some program(s) removed but not closed its files. Dive in in the fstat
 output.


--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: Anomali on /var available space

[Otto Moerbeek]

On Sat, Mar 27, 2010 at 06:51:26PM +0800, Kabayan wrote:

 Hi Vadim,
 
 Thx for your reply
 
 Problem solve after I restart pflogd
 New problem is Why the pflogd process almost use 100% capacity of my /var ?

You wrote pf.conf, so you are telling pflogd what's needs to be
logged. You cannot blame pflogd for that. 

-Otto
 
 My pf manage queue bandwidth for just 100 users.
 
 Thx
 
 Kabayan
 
 
 
 --- On Fri, 3/26/10, Vadim Zhukov persg...@gmail.com wrote:
 
 From: Vadim Zhukov persg...@gmail.com
 Subject: Re: Anomali on /var available space
 To: misc@openbsd.org
 Date: Friday, March 26, 2010, 1:33 AM
 
 On 26 March 2010 c. 10:17:30 Kabayan wrote:
  Dear misc,
 
  I got anomaly available  space of my system.
  I have different output between df and du
 
  $ df -h /var/
  Filesystem SizeUsed   Avail Capacity  Mounted on
  /dev/wd0d 29.5G   29.5G   -1.5G   105%/var
 
  $ df -kP /var
  Filesystem  1024-blocks   Used   Available Capacity Mounted on
  /dev/wd0d  30964722   30964034-1547548   105%   /var
 
  $ sudo du -sh /var
  30.3M   /var
 
  On message:
  Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
  Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
  fwrite: No space left on device
  Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
  Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
  fwrite: No space left on device
  Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full
 
  I used:
  OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010
 
 Some program(s) removed but not closed its files. Dive in in the fstat
 output.
 
 --
   Best wishes,
 Vadim Zhukov
 
 A: Because it messes up the order in which people normally read text.
 Q: Why is top-posting such a bad thing?
 A: Top-posting.
 Q: What is the most annoying thing in e-mail?

Re: Anomali on /var available space

[Peter N. M. Hansteen]

Kabayan kab4...@yahoo.com writes:

 Problem solve after I restart pflogd
 New problem is Why the pflogd process almost use 100% capacity of my /var ?

My guess would be that your pf.conf logs traffic with log (all) on at
least one rule that matches a lot of traffic, and possibly your
newsyslog.conf does not implement a very aggressive log rotation
schedule.

Logging all packets is not all that useful unless you're deep in
debugging something.  If you want to do traffic accounting, it's
easier to either use labels and extract the values at intervals, or
set up with pflow (set state-defaults pflow) and collect the netflow
data somewhere with enough disk space to slice and dice the data
separately.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Anomali on /var available space

[Brad Tilley]

On Sat, 27 Mar 2010 13:09 +0100, Peter N. M. Hansteen
pe...@bsdly.net wrote:
 Kabayan kab4...@yahoo.com writes:
 
  Problem solve after I restart pflogd
  New problem is Why the pflogd process almost use 100% capacity of my /var ?
 
 My guess would be that your pf.conf logs traffic with log (all) on at
 least one rule that matches a lot of traffic, and possibly your
 newsyslog.conf does not implement a very aggressive log rotation
 schedule.

 Logging all packets is not all that useful unless you're deep in
 debugging something. 

I occasionally log packets that pf blocks (just to see who is poking
around). Normally, that's about 100K per hour and only 4 old logs are
kept so a small /var is OK most of the time.  Then one day, some new
network gear was installed that messed-up the layer 2 bridging and
introduced a loop and STP stopped working. From that came a huge
broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never
seen that many packets in that short amount of time. I still log pf
blocks and 99% of the time, it's OK.

Brad

Re: Anomali on /var available space

[Peter N. M. Hansteen]

Brad Tilley b...@16systems.com writes:

 network gear was installed that messed-up the layer 2 bridging and
 introduced a loop and STP stopped working. From that came a huge
 broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never
 seen that many packets in that short amount of time. I still log pf
 blocks and 99% of the time, it's OK.

Heh. Loops can be fun (fsvo) for sure.  

I also tend to put a block log at the top of rule sets, if only to
peek at occasionally to see how much crazy stuff gets aimed at you.

But then the OP's problem of /var filling up quickly fit my hazy
memories of one time I put in way to much log (all) in a config.  The
difference in space consumption between log and log (all) is rather
significant.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Anomali on /var available space

[Vadim Zhukov]

On 26 March 2010 c. 10:17:30 Kabayan wrote:
 Dear misc,

 I got anomaly available  space of my system.
 I have different output between df and du

 $ df -h /var/
 Filesystem SizeUsed   Avail Capacity  Mounted on
 /dev/wd0d 29.5G   29.5G   -1.5G   105%/var

 $ df -kP /var
 Filesystem  1024-blocks   Used   Available Capacity Mounted on
 /dev/wd0d  30964722   30964034-1547548   105%   /var

 $ sudo du -sh /var
 30.3M   /var

 On message:
 Mar 26 08:07:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
 Mar 26 08:07:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
 fwrite: No space left on device
 Mar 26 08:08:01 GreenBridgeVPN /bsd: uid 0 on /var: file system full
 Mar 26 08:08:01 GreenBridgeVPN pflogd[10433]: Logging suspended:
 fwrite: No space left on device
 Mar 26 08:09:02 GreenBridgeVPN /bsd: uid 0 on /var: file system full

 I used:
 OpenBSD 4.7 (GENERIC.MP) #4: Mon Mar 15 02:57:08 WIT 2010

Some program(s) removed but not closed its files. Dive in in the fstat
output.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?