Re: [CentOS] Xorg fills up /var/log/Xorg.0.log with AUDIT messages (up to system crash) [solved]
Problem solved: A user had configured his preferred browser to be Thunderbird(!). As soon as he clicked on a link in an email, he ended in an endless loop with TB trying to open the link with the preferred browser (aka itself) again and again. This resulted in 40 MB audit loglines/hour in /var/log/Xorg.0.log. Cheers frank On 03.10.13 17:15, Frank Thommen wrote: Hi, on a CentOS 6.4-workstation we have the problem, that Xorg fills up /var/log/Xorg.0.log with AUDIT messages faster than one can read. Within four hours the logfile grew to 160 MB and usually within 1-2 days applications and sometimes the OS crash because /var becomes full. Here a small extract of /var/log/Xorg.0.log: [...] [ 24272.458] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.487] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24951 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.490] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.500] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.516] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24948 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.516] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24952 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.521] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.549] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24957 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.552] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.564] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.575] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24954 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.577] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24958 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.585] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.612] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24963 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.616] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.628] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.630] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24960 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.633] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24964 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.644] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.673] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24969 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.679] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.691] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.692] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24966 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.697] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24970 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.711] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [...] The client numbers are just a small repeating set, but trying to find the associated processes through the pids fails, because when the logfile entry is written, the processes are already gone. For sure these messages are associated with something the user(s) do, because as soon as nobody is logged in, these messages stop. We have lots of CentOS 6 machines, but this is the only one with such an issue, even though there are more or less the same applications running on all machines. Xorg is running with the following options (CentOS 6 default settings): /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-jQ4DVP/database -nolisten tcp vt1 Questions: * How can one find out which processes are responsible for these audit messages? * How can I stop auditing completely? With CentOS 5 Xorg ran with audit 0 and I was unable to find the place where the audit level is set. * (more generally) What's auditing good/used for anyway? Any hint is appreciated. Cheers frank [cross-posted on lopsa-tech maillist] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Frank Thommen - Structures IT Management and Support - EMBL Heidelberg
Re: [CentOS] Xorg fills up /var/log/Xorg.0.log with AUDIT messages (up to system crash) [solved]
On Fri, 04 Oct 2013 13:48:01 +0200 Frank Thommen wrote: Problem solved: A user had configured his preferred browser to be Thunderbird(!). As soon as he clicked on a link in an email, he ended in an endless loop with TB trying to open the link with the preferred browser (aka itself) again and again. This resulted in 40 MB audit loglines/hour in /var/log/Xorg.0.log. That sounds like something that should be reported to the Thunderbird people. It probably wouldn't be too difficult for them to make Thunderbird an invalid selection under that setting. -- MELVILLE THEATRE ~ Real D 3D Digital Cinema ~ www.melvilletheatre.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Xorg fills up /var/log/Xorg.0.log with AUDIT messages (up to system crash) [solved]
hi frank, On 10/04/2013 12:12 PM, Frank Cox wrote: On Fri, 04 Oct 2013 13:48:01 +0200 Frank Thommen wrote: Problem solved: A user had configured his preferred browser to be Thunderbird(!). As soon as he clicked on a link in an email, he ended in an endless loop with TB trying to open the link with the preferred browser (aka itself) again and again. This resulted in 40 MB audit loglines/hour in /var/log/Xorg.0.log. That sounds like something that should be reported to the Thunderbird people. It probably wouldn't be too difficult for them to make Thunderbird an invalid selection under that setting. maybe not. thunderbird has add-ons 'thunderbrowse' and 'thunder!box'. they are supposed to make thunderbird work like -- peace out. in a world with out fences, who needs gates. tc.hago. g . ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Xorg fills up /var/log/Xorg.0.log with AUDIT messages (up to system crash)
Hi, on a CentOS 6.4-workstation we have the problem, that Xorg fills up /var/log/Xorg.0.log with AUDIT messages faster than one can read. Within four hours the logfile grew to 160 MB and usually within 1-2 days applications and sometimes the OS crash because /var becomes full. Here a small extract of /var/log/Xorg.0.log: [...] [ 24272.458] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.487] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24951 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.490] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.500] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.516] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24948 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.516] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24952 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.521] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.549] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24957 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.552] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.564] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.575] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24954 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.577] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24958 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.585] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.612] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24963 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.616] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.628] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.630] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24960 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.633] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24964 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.644] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.673] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24969 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.679] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [ 24272.691] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 disconnected [ 24272.692] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 connected from local host ( uid=9435 gid=577 pid=24966 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.697] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 30 connected from local host ( uid=9435 gid=577 pid=24970 ) Auth name: MIT-MAGIC-COOKIE-1 ID: 572 [ 24272.711] AUDIT: Wed Oct 2 15:41:44 2013: 2625: client 28 disconnected [...] The client numbers are just a small repeating set, but trying to find the associated processes through the pids fails, because when the logfile entry is written, the processes are already gone. For sure these messages are associated with something the user(s) do, because as soon as nobody is logged in, these messages stop. We have lots of CentOS 6 machines, but this is the only one with such an issue, even though there are more or less the same applications running on all machines. Xorg is running with the following options (CentOS 6 default settings): /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-jQ4DVP/database -nolisten tcp vt1 Questions: * How can one find out which processes are responsible for these audit messages? * How can I stop auditing completely? With CentOS 5 Xorg ran with audit 0 and I was unable to find the place where the audit level is set. * (more generally) What's auditing good/used for anyway? Any hint is appreciated. Cheers frank [cross-posted on lopsa-tech maillist] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
