ips.log filling up disk

Question

We have XG210 with SFOS 19.5.4. I've noticed ips.log filling up /var partition till there is no free space on disk and it causes device to boot into fail-safe mode. Stopping IPS service stops log file from growing but when I restart IPS service, this issue occurs again. Switching off IPS Protection button from Intrusion Prevention menu or removing IPS polices from all firewall rules does not resolve this issue and only stopping service stops it. Here is the log that reappears again and again in the log file and causes this issue: 
 2024-03-03T20:42:03.268400Z [28142]:DAQ:INFO:daq_nmsp.c:2342(daq_nmsp_get_pkt)--> jumbogram read failed. jumbo len: 0 rslot 11 rlen 2048 
 2024-03-03T20:42:03.268402Z [28142]:DAQ:INFO:daq_nmsp.c:2384(daq_nmsp_get_pkt)--> Exit --> DAQ Error -7 
 
 I've tried re-imaging SFOS but it didn't solve the problem. Is there anyway to solve this issue without need to stopping IPS?

Michael Dunn · Answer

Actually NC-128322 (internal ticket to development, no access to public) looks like it was closed by no response from customer. I took a quick look at the logs from back then and it looks like someone turned on extra debug logging which caused the log files to fill fast. Depending on how they turn them on, it can even be automatically on when the service restarts. ls /sdisk/tmp/debug.cfg ls /var/tmp/debugp.conf If either of those files exist, delete them. You can restart the services (web proxy and ips) but I would reboot the box to be clean. The log rotate runs once a minute. Or rather - find log file over the configured size, renames them, compresses them. The starts a new times 60 second later to do it again. In some rare cases with super huge files the compression can take seconds (or even minutes) - but I've only seen this when debug logging was on super verbose in a busy system. grep log_rotate /log/csc.log should tell more.

ips.log filling up disk

Top Replies