Re: /var/log growing rapidly

To: debian-user@lists.debian.org
Subject: Re: /var/log growing rapidly
From: "Clifford W. Hansen" <clifford@nighthawk.co.za>
Date: Tue, 18 Nov 2008 14:23:04 +0200
Message-id: <[🔎] 200811181423.14807.clifford@nighthawk.co.za>
In-reply-to: <[🔎] 200811180703.23060.ale@pcartwright.com>
References: <[🔎] 200811172205.19365.ale@pcartwright.com> <[🔎] 49225B6D.6050309@cox.net> <[🔎] 200811180703.23060.ale@pcartwright.com>

On Tuesday 18 November 2008 14:03:23 Paul Cartwright wrote:
> On Tue November 18 2008, Ron Johnson wrote:
> > First, "tail -f /var/log/messages" to see exactly what all the new
> > log entries are.  That should point you towards the offender.
>
> I rebooted, and it stopped doing it. I went back into messages.0 , which
> was the LARGE file, and found lots, and lots, and lots of these lines: Nov
> 17 07:53:24 paulandcilla kernel: [68956.446825] Unknown InputIN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
> LEN=972 TOS=0x00 PREC=0x00 TTL=64 ID=1103 DF PROTO=UDP SPT=53543 DPT=53543
> LEN=952
> Nov 17 07:53:24 paulandcilla kernel: [68956.446825] Unknown OutputIN=
> OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=788 TOS=0x00 PREC=0x00 TTL=64
> ID=1104 DF PROTO=UDP SPT=53543 DPT=53543 LEN=768
> Nov 17 07:53:24 paulandcilla kernel: [68956.446825] Unknown InputIN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1
> LEN=788 TOS=0x00 PREC=0x00 TTL=64 ID=1104 DF PROTO=UDP SPT=53543 DPT=53543
> LEN=768
>
> I did a CTRL-ALT-F9 earlier that day, thinking I was switching to my OTHER
> user logged in, and those lines were on the screen, instead of the gdm
> login screen. Then did a CTRL-ALT-F7 to get back to where I was, and was
> back to my logged in account. Looks like gdm didn't like me going to that
> screen without starting a new login session through the menus?
>
> --
> Paul Cartwright
> Registered Linux user # 367800
> Registered Ubuntu User #12459

I'm not sure what program caused those messages but they look like firewall 
log messages.

Since it stopped when you rebooted I'd say there was a program trying to run 
and the firewall was stopping it from sending data and also logging the fact.

Just looking at these messages, you should allow all traffic on the lo 
interface to the lo interface and disable logging.

I don't know what you are using for your firewall scripts so I can't help till 
I know...
-- 
Thank you,

Clifford W. Hansen
PHP Developer / Linux Administrator

(Mobile/SMS)          +27 82 883 8677
(Fax)                 +27 86 503 0634
(E-Mail/Jabber/GMail) clifford@nighthawk.co.za
(GPG)                 0x936D6C19
(Web)                 http://nighthawk.co.za/

"We have seen strange things today!"

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- /var/log growing rapidly
  - From: Paul Cartwright <ale@pcartwright.com>
- Re: /var/log growing rapidly
  - From: Ron Johnson <ron.l.johnson@cox.net>
- Re: /var/log growing rapidly
  - From: Paul Cartwright <ale@pcartwright.com>

Prev by Date: Re: Here's something interesting... (was Re: Q: List Policy)
Next by Date: Re: Getting a unique ID for a system?
Previous by thread: Re: /var/log growing rapidly
Next by thread: Re: /var/log growing rapidly
Index(es):
- Date
- Thread