Re: [squid-users] Information flodded in logfiles
sandiphw wrote: Thank you all for valuable assistance. I am working in a corporate environment. squid is installed on linux server and all these desktops/ laptops (Windows) generating these logs are through samba client. These thing happens very recently and request are coming from hundreds of clients. We have not installed any new software to any client machine. Somebody did something to them ... Does not have to be new software to be broken either. Anyhow, I shall try to build a syslog server, but it may takes time due to my limited knowledge. If you can advise me how to fix log sizes through squid configuration, it will give me a temporary relief. Regards, SKS A syslog server may face the same problem. Along with lost information as the network floods with additional GB of UDP packets containing log information. If the network reaches flood levels important log lines indicating problems may be lost. ** You ** NEED ** to ** FIX ** the ** clients *** The fact that you say nothing changed on the clients is ringing a huge warning bell for me. Windows machines which have _actually_ not been changed but suddenly start a DoS with new traffic is good sign of infections underway. The partial-domain makes me think it the DNS settings in your network, or a configuration update pushed out to the client machines is not quite right. Depending on your squid you may be able to use ACL matching domain ab-desktop on the access_log to reduce the recorded traffic logged. That will prevent you locating a suitable client to try fixing though. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] Information flodded in logfiles
ons 2009-09-16 klockan 06:39 -0700 skrev sandiphw: Recently I found that logfiles are flooding with informations like access.log 1253094090.451 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html Seems that client is running some malfunctioning program. Hunt it down and fix it. Regards Henrik
Re: [squid-users] Information flodded in logfiles
ons 2009-09-16 klockan 06:39 -0700 skrev sandiphw: Logfiles becomes in over a GB witin 7 days and squid stops working. We need to manually replaced these files with new one. debug_option is set to default. How to stop these informations comming to logfiles? It's normal requests and should be logged. The issue is that the client is not behaving well and continuously retries the same unsuccessful request and getting back authentiacation required each time.. but you don't need store.log. Disable it in squid.conf. How can I set the maximum size of logfile? The already mentioned logrotate is a good tool for keep track of log file size and automatically pruning data to keep logs at comfortable levels. Regards Henrik
Re: [squid-users] Information flodded in logfiles
Dear sandiphw, The best option would be to work on the request or misbehaving application from http://ab-desktop, log-rotation on the squid proxy works best for me and if you can, please create a syslog server, this will assist you in ensuring that logs are removed from the production server and reduce downtime on the proxy server. One more thing that works best for me is Munin (monitoring), I check it every time for my servers and it works best especially when it comes to identifying disk space,CPU usage etc. -- Sakhi On 9/17/09, Henrik Nordstrom hen...@henriknordstrom.net wrote: ons 2009-09-16 klockan 06:39 -0700 skrev sandiphw: Logfiles becomes in over a GB witin 7 days and squid stops working. We need to manually replaced these files with new one. debug_option is set to default. How to stop these informations comming to logfiles? It's normal requests and should be logged. The issue is that the client is not behaving well and continuously retries the same unsuccessful request and getting back authentiacation required each time.. but you don't need store.log. Disable it in squid.conf. How can I set the maximum size of logfile? The already mentioned logrotate is a good tool for keep track of log file size and automatically pruning data to keep logs at comfortable levels. Regards Henrik -- Sakhi Louw Cell:083 951 7760 Fax: 086 632 3670 sa...@jabber.org sip:sa...@ekiga.net
Re: [squid-users] Information flodded in logfiles
Thank you all for valuable assistance. I am working in a corporate environment. squid is installed on linux server and all these desktops/ laptops (Windows) generating these logs are through samba client. These thing happens very recently and request are coming from hundreds of clients. We have not installed any new software to any client machine. Anyhow, I shall try to build a syslog server, but it may takes time due to my limited knowledge. If you can advise me how to fix log sizes through squid configuration, it will give me a temporary relief. Regards, SKS -- View this message in context: http://www.nabble.com/Information-flodded-in-logfiles-tp25472578p25491116.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Information flodded in logfiles
Recently I found that logfiles are flooding with informations like access.log 1253094090.451 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.675 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.728 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.791 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.853 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.916 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.978 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.041 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.104 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.166 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.214 2365 192.168.40.251 TCP_DENIED/407 1834 GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd uc NONE/- text/html 1253094091.228 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.291 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.297 2362 192.168.41.158 TCP_DENIED/407 1834 GET store.log 1253094091.353 RELEASE -1 C22A6119C402EA74195B01ECBBCB178E 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.416 RELEASE -1 7EFAAFD1B02BF3BE93C9E7B6FADB8DA5 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.479 RELEASE -1 319EE692DFCB0B34FD454660195B3F7E 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.541 RELEASE -1 09676C7ACB16372E01BE2CC091E32AEC 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.603 RELEASE -1 5A9DA57ED86A40F79B68105608272ABD 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.666 RELEASE -1 278CF68206B1E065B102B5C97888FBBD 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.728 RELEASE -1 BCBF8DD569006699EBF9ADD91F37B57C 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.791 RELEASE -1 E08AD5AF3E329C7DB2EDD50DC8509502 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.853 RELEASE -1 4088B6F70F4213FF8DB0AC561865C5FB 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.916 RELEASE -1 99D33E36EBE2F2FF7BD0117587015231 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.978 RELEASE -1 8FCB9F138361AC4BC44763DEF42D4753 407 1253094091 0 1253094091 Logfiles becomes in over a GB witin 7 days and squid stops working. We need to manually replaced these files with new one. debug_option is set to default. How to stop these informations comming to logfiles? How can I set the maximum size of logfile? Or something else creating the problem? Any advise will be highly appreciated. SKS -- View this message in context: http://www.nabble.com/Information-flodded-in-logfiles-tp25472578p25472578.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Information flodded in logfiles
I've no ideas about the logging facility. But actually, you can try squid -k retate with logrotate program. Regards, -- Banyan He Network System Security Infrastructure Mail: ban...@rootong.com Blog: http://www.rootong.com/blog LinkedIn: http://www.linkedin.com/in/banyanhe Website: http://www.rootong.com From: sandiphw sandi...@hotmail.com Date: Wed, 16 Sep 2009 06:39:50 -0700 (PDT) To: squid-users@squid-cache.org Subject: [squid-users] Information flodded in logfiles Recently I found that logfiles are flooding with informations like access.log 1253094090.451 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.675 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.728 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.791 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.853 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.916 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.978 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.041 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.104 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.166 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.214 2365 192.168.40.251 TCP_DENIED/407 1834 GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd uc NONE/- text/html 1253094091.228 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.291 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.297 2362 192.168.41.158 TCP_DENIED/407 1834 GET store.log 1253094091.353 RELEASE -1 C22A6119C402EA74195B01ECBBCB178E 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.416 RELEASE -1 7EFAAFD1B02BF3BE93C9E7B6FADB8DA5 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.479 RELEASE -1 319EE692DFCB0B34FD454660195B3F7E 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.541 RELEASE -1 09676C7ACB16372E01BE2CC091E32AEC 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.603 RELEASE -1 5A9DA57ED86A40F79B68105608272ABD 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.666 RELEASE -1 278CF68206B1E065B102B5C97888FBBD 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.728 RELEASE -1 BCBF8DD569006699EBF9ADD91F37B57C 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.791 RELEASE -1 E08AD5AF3E329C7DB2EDD50DC8509502 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.853 RELEASE -1 4088B6F70F4213FF8DB0AC561865C5FB 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.916 RELEASE -1 99D33E36EBE2F2FF7BD0117587015231 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.978 RELEASE -1 8FCB9F138361AC4BC44763DEF42D4753 407 1253094091 0 1253094091 Logfiles becomes in over a GB witin 7 days and squid stops working. We need to manually replaced these files with new one. debug_option is set to default. How to stop these informations comming to logfiles? How can I set the maximum size of logfile? Or something else creating the problem? Any advise will be highly appreciated. SKS -- View this message in context: http://www.nabble.com/Information-flodded-in-logfiles-tp25472578p25472578.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Information flodded in logfiles
That's some broken clients asking for things without providing the necessary authentication. There is nothing to do about it, debug_options doesn't affect access.log . Your best course of action, if you are in a corporate environment, is find who is using the PC at address 192.168.42.30, understand what software is misbehaving, and fix it up. Banyan (I hope I got the first name right, if not I apologize) got it right though, you need to set the log management infrastructure up in any case. If you're running on a Linux system, you should look into logrotate (it comes standard on any distribution I know of), otherwise you can check squid's build-in log rotation feature (see squid.conf.documented). /kinkie On Wed, Sep 16, 2009 at 4:39 PM, Banyan He ban...@rootong.com wrote: I've no ideas about the logging facility. But actually, you can try squid -k retate with logrotate program. Regards, -- Banyan He Network System Security Infrastructure Mail: ban...@rootong.com Blog: http://www.rootong.com/blog LinkedIn: http://www.linkedin.com/in/banyanhe Website: http://www.rootong.com From: sandiphw sandi...@hotmail.com Date: Wed, 16 Sep 2009 06:39:50 -0700 (PDT) To: squid-users@squid-cache.org Subject: [squid-users] Information flodded in logfiles Recently I found that logfiles are flooding with informations like access.log 1253094090.451 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.675 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.728 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.791 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.853 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.916 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094090.978 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.041 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.104 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.166 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.214 2365 192.168.40.251 TCP_DENIED/407 1834 GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd uc NONE/- text/html 1253094091.228 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.291 0 192.168.42.30 TCP_DENIED/407 1725 OPTIONS http://ab-desktop/ - NONE/- text/html 1253094091.297 2362 192.168.41.158 TCP_DENIED/407 1834 GET store.log 1253094091.353 RELEASE -1 C22A6119C402EA74195B01ECBBCB178E 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.416 RELEASE -1 7EFAAFD1B02BF3BE93C9E7B6FADB8DA5 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.479 RELEASE -1 319EE692DFCB0B34FD454660195B3F7E 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.541 RELEASE -1 09676C7ACB16372E01BE2CC091E32AEC 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.603 RELEASE -1 5A9DA57ED86A40F79B68105608272ABD 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.666 RELEASE -1 278CF68206B1E065B102B5C97888FBBD 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.728 RELEASE -1 BCBF8DD569006699EBF9ADD91F37B57C 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.791 RELEASE -1 E08AD5AF3E329C7DB2EDD50DC8509502 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.853 RELEASE -1 4088B6F70F4213FF8DB0AC561865C5FB 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.916 RELEASE -1 99D33E36EBE2F2FF7BD0117587015231 407 1253094091 0 1253094091 text/html 1281/1663 OPTIONS http://ab-desktop/ 1253094091.978 RELEASE -1 8FCB9F138361AC4BC44763DEF42D4753 407 1253094091 0 1253094091 Logfiles becomes in over a GB witin 7 days and squid stops working. We need to manually replaced these files with new one. debug_option is set to default. How to stop these informations comming to logfiles? How can I set the maximum size of logfile? Or something else creating the problem? Any advise will be highly appreciated. SKS -- View this message in context: http://www.nabble.com/Information-flodded-in-logfiles-tp25472578p25472578.html Sent from the Squid - Users mailing list archive