How to prevent FS overflow due to excessive logging?
Tobias Ernst
tobi at casino.uni-stuttgart.de
Wed Nov 14 08:38:13 PST 2007
Hi all,
we have a default policy that logs all dropped packets. Accordingly, I
have carefully adjusted my newsyslogd configuration and made sure there
is plenty of space in /var/log.
Today, one of our computers started sending out UDP packets to a certain
(seemingly unknown) IP address, port 7800. And it sent many of them -
about 2 million within one hour. This led to a 3 GIG pflog file and of
course made our file system overflow.
We are currently figuring out what that was, but there is another
question that boggles me: how do I prevent such file system overflows in
the future?
With conventional syslogd logging, syslogd will not print out lines that
are excessive repetitions of previous lines. Is there a way to make PF
not log excessive repetitions?
I do not want to disable UDP logging generally - after all I want to be
told when things like this happen.
Regards
Tobias
--
Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT
70174 Stuttgart Geschwister-Scholl-Straße 24D
T +49 (0)711 121-4228 F +49 (0)711 121-4276
E office at casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de
More information about the freebsd-pf
mailing list