This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Very High CPU load since installing 9.703-3 - serious issues with logon to firewall management and user portal and SSL VPN login

Since installing 9.703-3 on SG 310 cluster we are having massive problems with very high CPU load.

Before the update the normal load was under 30%, now it is generally between 75% and 95% with peaks of 100%

We regularly are not able to log onto the management and the user portal. Also the log on to the SSl VPN is not possible.

All other services run but are slower and we are having some issues with rejected SMTP connections because of system limitations.

 

We have created a case with Sophos (Case 9956951) but even as Gold Partners we have not received any substantial help for for the past 3 weeks.

We hope someone here in the community can help us.

 

Here the list of our own attempts to resolve the issue:

  • Cold restart of the entire cluster
  • Reset to factory of both devices, import of saved configuration and clean recreation of cluster
  • Deactivation of IPS and other threat protection functions

None of these attempts resulted in any positive change.

On advise of Sophos Support we have created and submitted ATOP system logs (one running a couple of hours one running more than a day).
If it were of any help, we can make the logs available.

Below an extract of the current process list.
As we had no problem before we cannot compare the differences before/after, but we know that the regular CPU load before the event was in the 30% region.
I've highlighted the processes that in our view are problematic.

  • The "confd" process and its dependencies continuosly use a lot of CPU
  • The "aua.bin" process (responsible for login) usually has a very long list of "defunct" processes in the list with cumulative high CPU load
  • The "apache" process is also quite high on CPU load
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         2  0.0  0.0      0     0 ?        S    Jun28   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    Jun28   8:43  \_ [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [kworker/0:0H]
root         7  0.0  0.0      0     0 ?        S    Jun28   0:02  \_ [migration/0]
root         8  0.0  0.0      0     0 ?        S    Jun28   0:14  \_ [rcu_bh]
root         9  0.1  0.0      0     0 ?        S    Jun28  18:17  \_ [rcu_sched]
root        10  0.0  0.0      0     0 ?        S    Jun28   0:01  \_ [migration/1]
root        11  0.0  0.0      0     0 ?        S    Jun28   8:32  \_ [ksoftirqd/1]
root        13  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [kworker/1:0H]
root        14  0.0  0.0      0     0 ?        S    Jun28   0:02  \_ [migration/2]
root        15  0.0  0.0      0     0 ?        S    Jun28   4:21  \_ [ksoftirqd/2]
root        16  0.0  0.0      0     0 ?        S    Jun28   2:17  \_ [kworker/2:0]
root        17  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [kworker/2:0H]
root        18  0.0  0.0      0     0 ?        S    Jun28   0:02  \_ [migration/3]
root        19  0.0  0.0      0     0 ?        S    Jun28   3:38  \_ [ksoftirqd/3]
root        21  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [kworker/3:0H]
root        22  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [khelper]
root       133  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [writeback]
root       136  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [bioset]
root       137  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [crypto]
root       139  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [kblockd]
root       343  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [khubd]
root       351  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [edac-poller]
root       471  0.0  0.0      0     0 ?        S    Jun28   0:05  \_ [kswapd0]
root       535  0.0  0.0      0     0 ?        SN   Jun28   0:29  \_ [khugepaged]
root       536  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [fsnotify_mark]
root      1171  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [deferwq]
root      1253  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [nvme]
root      1268  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ata_sff]
root      1292  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [scsi_eh_0]
root      1295  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [scsi_eh_1]
root      1298  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [scsi_eh_2]
root      1301  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [scsi_eh_3]
root      1304  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [scsi_eh_4]
root      1307  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [scsi_eh_5]
root      2550  0.0  0.0      0     0 ?        S<   Jun28   0:02  \_ [kworker/3:1H]
root      2551  0.0  0.0      0     0 ?        S<   Jun28   0:02  \_ [kworker/1:1H]
root      2552  0.0  0.0      0     0 ?        S<   Jun28   0:04  \_ [kworker/2:1H]
root      2563  0.0  0.0      0     0 ?        S<   Jun28   1:18  \_ [kworker/0:1H]
root      2631  0.0  0.0      0     0 ?        S    Jun28   0:40  \_ [jbd2/sda6-8]
root      2632  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ext4-rsv-conver]
root      2913  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ixgbe]
root      3149  0.0  0.0      0     0 ?        S    Jun28   0:00  \_ [jbd2/sda1-8]
root      3150  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ext4-rsv-conver]
root      3151  0.0  0.0      0     0 ?        S    Jun28   0:42  \_ [jbd2/sda5-8]
root      3152  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ext4-rsv-conver]
root      3153  0.0  0.0      0     0 ?        S    Jun28   0:27  \_ [jbd2/sda7-8]
root      3154  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ext4-rsv-conver]
root      3155  0.0  0.0      0     0 ?        S    Jun28   0:05  \_ [jbd2/sda8-8]
root      3156  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [ext4-rsv-conver]
root      4724  0.0  0.0      0     0 ?        S<   Jun28   0:00  \_ [redd]
root      8154  0.0  0.0      0     0 ?        S    Jun28   1:49  \_ [kworker/1:2]
root     29219  0.0  0.0      0     0 ?        S    Jun28   0:06  \_ [kworker/3:0]
root     22022  0.0  0.0      0     0 ?        S    Jul05   1:14  \_ [kworker/1:1]
root     27773  0.0  0.0      0     0 ?        S    Jul05   0:06  \_ [kworker/3:1]
root     28897  0.0  0.0      0     0 ?        S    Jul07   1:11  \_ [kworker/2:1]
root     12618  0.0  0.0      0     0 ?        S    Jul07   0:20  \_ [kworker/0:0]
root      4341  0.0  0.0      0     0 ?        S    Jul08   0:16  \_ [kworker/0:2]
root     18656  0.0  0.0      0     0 ?        S    10:47   0:00  \_ [kworker/u8:2]
root     26845  0.0  0.0      0     0 ?        S    11:12   0:00  \_ [kworker/u8:0]
root         1  0.0  0.0   3976   528 ?        Ss   Jun28   0:05 init [3]  
root      2694  0.0  0.0   4456   364 ?        S<s  Jun28   0:00 /sbin/udevd --daemon
root     26184  0.0  0.0   4452   344 ?        S<   Jun28   0:00  \_ /sbin/udevd --daemon
root     26185  0.0  0.0   4452   216 ?        S<   Jun28   0:00  \_ /sbin/udevd --daemon
root      3524  0.0  0.0   3988   664 ?        S    Jun28   0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket
200       3537  0.0  0.0   4660   216 ?        Ss   Jun28   0:00 /bin/dbus-daemon --system
201       3762  0.0  0.0  17200  1888 ?        Ssl  Jun28   0:03 /usr/sbin/hald --daemon=yes
root      3763  0.0  0.0   5900   840 ?        S    Jun28   0:00  \_ hald-runner
root      3785  0.0  0.0   8456  1108 ?        S    Jun28   0:00      \_ hald-addon-input: Listening on /dev/input/event0 /dev/input
root      3802  0.0  0.0   8468  1108 ?        S    Jun28   0:00      \_ /usr/lib/hal/hald-addon-cpufreq
201       3803  0.0  0.0   8164  1328 ?        S    Jun28   0:00      \_ hald-addon-acpi: listening on acpid socket /var/run/acpid.s
root      3832  0.0  0.0   4252   456 ?        Ss   Jun28   3:55 /usr/sbin/lcd-serial300 5
root      3844  0.2  0.0   8316  4376 ?        Ss   Jun28  39:18 /sbin/haveged -w 1024 -v 0
root      3869  0.0  0.0   3956   472 ?        S    Jun28   0:00 logger -p daemon.debug -t confd[3868]
root      3883  0.0  0.0   3956   368 ?        Ss   Jun28   0:00 /usr/local/bin/confd-queuer
root      3895  0.0  0.0  10224  4488 ?        Ss   Jun28   0:20 confd-qrunner.pl
root      3912  0.0  0.0  11024  3576 ?        S    Jun28   4:04 /usr/local/bin/sysmond
root      3949  2.9  0.0  21540 12108 ?        S    Jun28 458:04 /var/aua/aua.bin
root      3950  0.0  0.0   3956   536 ?        S    Jun28   0:00  \_ logger -p daemon.debug -t aua[3949]
root     18844  4.3  0.0      0     0 ?        Z    12:05   0:00  \_ [aua.bin] <defunct>
root     18852  4.3  0.1  28144 20928 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18856  4.7  0.1  28144 20928 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18859  4.8  0.1  27696 20680 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18860  4.7  0.1  25008 19488 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18861  4.9  0.1  28144 20936 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18883  5.1  0.1  27912 17712 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18884  4.6  0.1  27912 17516 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18885  4.6  0.1  27976 17524 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18887  5.2  0.1  27912 17712 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18889  5.0  0.1  27912 17516 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18891  5.1  0.1  27912 17512 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18892  4.9  0.1  27976 17520 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18897  5.1  0.1  27912 17500 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18898  4.8  0.1  27912 17524 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18901  4.8  0.1  27320 16976 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18905  4.9  0.1  27460 17000 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18911  4.5  0.1  26336 15876 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18912  4.7  0.1  26184 15876 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18914  5.2  0.1  26896 16508 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18915  4.6  0.1  25768 15348 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18921  4.6  0.1  25632 15084 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18922  4.7  0.1  25500 15084 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18924  4.8  0.1  25368 14864 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18926  4.5  0.1  24676 14096 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18927  5.0  0.1  25368 14864 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18930  4.8  0.1  24808 14472 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18931  5.3  0.1  24960 14524 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18933  5.1  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18934  5.6  0.1  24828 14524 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18938  5.1  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18939  5.3  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18940  5.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18941  5.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18946  4.9  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18951  5.6  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18955  5.3  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18959  5.6  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18967  5.1  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18970  5.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18976  5.8  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18978  5.8  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18980  5.5  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18981  6.2  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18983  5.9  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18984  6.5  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18986  5.7  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18988  5.5  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18989  6.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18990  6.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18993  7.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18994  7.0  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root     18998  5.9  0.1  24728 13784 ?        R    12:05   0:00  \_ /var/aua/aua.bin
root      4239  0.0  0.0  16328  4528 ?        S    Jun28   0:01 /usr/local/bin/notifier.plx -d
rrdcache  4255  0.0  0.0 120208  1076 ?        Ssl  Jun28   1:48 /usr/bin/rrdcached -l unix:/var/run/rrdcached/socket -m 777 -b /var
at        4286  0.0  0.0   4404   228 ?        Ss   Jun28   0:00 /usr/sbin/atd
root      4708  0.1  1.6 222028 196320 ?       S    Jun28  16:25 /var/mdw/mdw.plx
root      4715  0.0  0.0   3956   516 ?        S    Jun28   0:01  \_ logger -p daemon.debug -t middleware[4708]
root      4859  0.0  0.0   3980   380 ?        Ss   Jun28   0:04 runsvdir -P /etc/service log: .....................................
root      4866  0.0  0.0   3836   212 ?        Ss   Jun28   0:00  \_ runsv selfmonng
root     27063  0.8  0.0  13876  7544 ?        S    Jun28 125:40      \_ /usr/local/bin/selfmonng.plx
root     27157  0.0  0.0  13500  5184 ?        S    Jun28   0:02          \_ [timewarp check]
root      4860  0.0  0.0   4484   620 tty1     Ss+  Jun28   0:00 /sbin/mingetty --no-hostname tty1
root      4861  0.0  0.0   4484   612 tty2     Ss+  Jun28   0:00 /sbin/mingetty --no-hostname tty2
root      4862  0.0  0.0   4484   620 tty3     Ss+  Jun28   0:00 /sbin/mingetty --no-hostname tty3
root      4863  0.0  0.0   4484   612 tty4     Ss+  Jun28   0:00 /sbin/mingetty --no-hostname tty4
root      4864  0.0  0.0   4204   524 ttyS0    Ss+  Jun28   0:00 /sbin/mingetty ttyS0
root      5297  0.0  0.0   4424   740 ?        Ss   Jun28   0:02 /usr/sbin/cron
root      5707  0.3  0.4 126448 52152 ?        Ssl  Jun28  57:48 /usr/sbin/named -4
root      9477  0.0  0.0   8776  1300 ?        Ss   Jun28   0:01 /usr/libexec/postfix/master -w
postfix  27322  0.0  0.0   8528  2192 ?        S    11:13   0:00  \_ qmgr -l -t unix -u -c
postfix  27323  0.0  0.0   8472  2176 ?        S    11:13   0:00  \_ pickup -l -t unix -u -c
root     14827  0.0  0.3  85012 45432 ?        Ss   Jun28   8:43 confd [master]
root     14828  0.0  0.0   3956   520 ?        S    Jun28   0:00  \_ logger -p daemon.debug -t confd[14827]
root     14830  0.0  0.1  58608 17024 ?        S    Jun28   7:12  \_ confd [listener]
root       714  0.0  0.2  74724 36436 ?        S    02:25   0:00      \_ confd [worker:prpc:system]
root     21568  1.5  0.4  86216 51508 ?        S    11:49   0:14      \_ confd [worker:prpc:webadmin]
root     19014 28.5  0.0   5188  1320 ?        R    12:05   0:00      |   \_ ps auxwf
root     26396  1.2  0.3  81352 44848 ?        S    11:52   0:10      \_ confd [worker:prpc:webadmin]
root     32078  0.0  0.2  75168 36444 ?        S    11:55   0:00      \_ confd [worker:prpc:system]
root     12217  0.1  0.2  75168 36424 ?        S    12:02   0:00      \_ confd [worker:prpc:system]
root     14894  0.0  0.2  65876 27200 ?        S    12:03   0:00      \_ confd [worker:prpc:system]
root     18058  0.2  0.2  66012 27304 ?        S    12:05   0:00      \_ confd [worker:prpc:acc-agent]
root     18814  2.6  0.0      0     0 ?        Z    12:05   0:00      \_ [confd.plx] <defunct>
root     18937  3.1  0.2  65876 27200 ?        S    12:05   0:00      \_ confd [worker:prpc:system]
810      15034  0.0  0.0 112108  8456 ?        Ssl  Jun28   1:02 /var/chroot-http/usr/bin/sandboxd --chroot /var/chroot-http --u htt
root     16092  0.0  0.0   5132   672 ?        Ss   Jun28   0:00 /usr/libexec/ipsec/starter
root       641  0.4  0.1  30560 21044 ?        Ss   Jun28  71:33  \_ /usr/libexec/ipsec/pluto --nofork --probe-psk --debug-none --no
root      1044  0.0  0.0   3936   192 ?        S    Jun28   0:00      \_ _pluto_adns
root     16660  0.0  0.0   5856   260 ?        S    Jun28   0:00 supervising syslog-ng                     
root     16661  3.4  0.2  38644 31968 ?        Rs   Jun28 537:03  \_ /usr/sbin/syslog-ng -f /etc/syslog-ng.conf
root      1159  0.8  0.1  24744 19016 ?        S    00:00   6:06      \_ /usr/bin/perl /usr/local/bin/reporter/admin-reporter.pl
root      1160  0.2  0.1  21300 15552 ?        S    00:00   2:06      \_ /usr/bin/perl /usr/local/bin/reporter/pfilter-reporter.pl
root      1169  0.0  0.0  32840  2764 ?        Sl   00:00   0:37      \_ /usr/local/bin/reporter/vpn-reporter.pl
root      1179  0.0  0.0  30952  1960 ?        Sl   00:00   0:00      \_ /usr/local/bin/reporter/websec-reporter.pl
root      1184  0.2  0.1  20096 14316 ?        S    00:00   1:38      \_ /usr/bin/perl /usr/local/bin/reporter/mailsec-reporter.pl
root      1185  0.0  0.1  18948 13076 ?        S    00:00   0:00      \_ /usr/bin/perl /usr/local/bin/reporter/ips-reporter.pl
root      1190  0.0  0.0  30952  1812 ?        Sl   00:00   0:00      \_ /usr/local/bin/reporter/websec-reporter.pl -e
root      1199  0.1  0.0   5336  1964 ?        S    00:00   1:17      \_ /usr/local/bin/reporter/waf-reporter
root     16768  0.0  0.0   7052   716 ?        Ss   Jun28   0:00 /usr/lib/ctasd/ctasd.bin -p /var/run/ctasd_inbound.pid -l /usr/lib/
root     16771  1.3  0.4 106664 49580 ?        Sl   Jun28 209:16  \_ /usr/lib/ctasd/ctasd.bin -p /var/run/ctasd_inbound.pid -l /usr/
root     16778  0.0  0.0   7052   708 ?        Ss   Jun28   0:00 /usr/lib/ctasd/ctasd.bin -p /var/run/ctasd_outbound.pid -l /usr/lib
root     16784  0.0  0.2  73856 28000 ?        Sl   Jun28  10:39  \_ /usr/lib/ctasd/ctasd.bin -p /var/run/ctasd_outbound.pid -l /usr
root     16792  0.8  0.0  27880  4880 ?        Ssl  Jun28 130:07 ./ctipd.bin -l /usr/lib/ctipd
root     16854  1.8  3.2 932624 398600 ?       Ssl  Jun28 291:33 /usr/bin/cssd -d
root     16861  0.1  0.2  63572 28100 ?        S    Jun28  30:55 /usr/sbin/acc-agent.plx --verbose=2 --daemon
root     17022  0.0  0.0  55744 11184 ?        Ss   Jun28   0:39 /usr/apache/bin/httpd -k start
root     23103  0.0  0.0   3956   460 ?        S    Jun28   2:15  \_ /bin/logger -p local1.info -t httpd
nobody   14052  3.9  0.2 503152 34332 ?        Sl   10:03   4:47  \_ /usr/apache/bin/httpd -k start
nobody   10045  3.0  0.2 401392 29236 ?        Sl   11:22   1:20  \_ /usr/apache/bin/httpd -k start
nobody   18381  3.7  0.2 499340 30428 ?        Sl   11:27   1:27  \_ /usr/apache/bin/httpd -k start
nobody    5127  4.8  0.2 496600 28016 ?        Sl   11:58   0:22  \_ /usr/apache/bin/httpd -k start
nobody    7712  4.6  0.2 493480 25024 ?        Sl   11:59   0:17  \_ /usr/apache/bin/httpd -k start
root     26152  0.0  0.0   6912   520 ?        Ss   Jun28   0:02 /usr/sbin/rsyncd --daemon
root     28797  0.0  0.0   3952   560 ?        S    Jun28   0:00 /usr/local/bin/watch_path
root     28812  0.0  0.0   5284  4260 ?        S<Lsl Jun28   1:00 /usr/local/bin/ha_daemon
root     28814  0.0  0.0   4044   464 ?        Ss   Jun28   0:30 /usr/local/bin/ha_sysmond
postgres 29256  0.0  0.0  14520  6320 ?        Ss   Jun28   0:10 /usr/local/bin/repctl
root      6737  2.1  0.1  40500 24276 ?        S<s  Jun28 343:47 /usr/sbin/conntrackd -d
root     31270  0.0  0.0   9312  2636 ?        Ss   Jun28   0:46 /usr/sbin/dhcpd -cf /etc/dhcpd.conf eth10 eth0
root     32240  0.0  0.2  34900 26448 ?        Ss   Jun28   0:07 confd-sync
postgres 32354  0.0  0.0   6912   744 ?        Ss   Jun28   0:00 /usr/bin/rsync --daemon --config /var/lib/postgresql/rsyncd.conf
nobody   32366  0.0  0.0   6104  1924 ?        S    Jun28   0:02 /sbin/ha_proxy
nobody   32368  0.0  0.0   6104  1924 ?        S    Jun28   0:00  \_ /sbin/ha_proxy
root     32440  0.0  0.4  53644 49892 ?        Ss   Jun28  10:46 /usr/local/bin/nwd
postgres 32527  0.0  0.4 1642220 55512 ?       S    Jun28   0:55 /usr/pgsql92/bin/postgres -D /var/storage/pgsql92/data
postgres 32538  0.0 13.1 1643100 1600668 ?     Ss   Jun28   4:41  \_ postgres: checkpointer process                        
postgres 32539  0.0  0.0 1642992 11808 ?       Ss   Jun28   0:10  \_ postgres: writer process                              
postgres 32540  0.0  0.1 1642992 17196 ?       Ss   Jun28   4:38  \_ postgres: wal writer process                          
postgres 32541  0.0  0.0 1643780 2140 ?        Ss   Jun28   0:33  \_ postgres: autovacuum launcher process                 
postgres 32542  0.0  0.0  10028   684 ?        Ss   Jun28   0:02  \_ postgres: archiver process   last was 000000010000001600000065
postgres 32543  0.0  0.0  10308  1028 ?        Ss   Jun28   2:54  \_ postgres: stats collector process                     
postgres 32704  0.0  0.0 1646108 9668 ?        Ss   Jun28   0:04  \_ postgres: smtp smtp 127.0.0.1(48622) idle             
postgres   423  0.0  1.1 1646672 142500 ?      Ss   Jun28   2:31  \_ postgres: smtp smtp 127.0.0.1(48643) idle             
postgres   518  0.0  0.0 1645404 6568 ?        Ss   Jun28   0:00  \_ postgres: sandbox sandbox 198.19.250.1(47154) idle    
postgres   523  0.0  0.3 1646428 40240 ?       Ss   Jun28   4:46  \_ postgres: sandbox sandbox 198.19.250.1(47162) idle    
postgres  1330  0.0  0.0 1646040 8184 ?        Ss   Jun28   0:04  \_ postgres: smtp smtp 198.19.250.2(56432) idle          
postgres  1354  0.0  0.0 1646072 6560 ?        Ss   Jun28   0:00  \_ postgres: smtp smtp 198.19.250.2(56434) idle          
postgres  1610  0.0  0.0 1645404 2632 ?        Ss   Jun28   0:00  \_ postgres: sandbox sandbox 198.19.250.2(56440) idle    
postgres  1619  0.0  0.3 1646324 38308 ?       Ss   Jun28   4:40  \_ postgres: sandbox sandbox 198.19.250.2(56441) idle    
postgres  3528  0.0  0.0 1643728 2276 ?        Ss   Jun28   5:10  \_ postgres: wal sender process repmgr 198.19.250.2(56471) streami
postgres  6001  0.0  0.2 1646392 31892 ?       Ss   Jun29   0:05  \_ postgres: smtp smtp 127.0.0.1(52480) idle             
postgres 20831  0.0  0.0 1646052 7884 ?        Ss   Jun29   0:00  \_ postgres: sandbox sandbox 127.0.0.1(41816) idle       
postgres 20806  2.0  5.7 1646632 699876 ?      Rs   Jul03 177:16  \_ postgres: reporting reporting [local] idle in transaction
postgres  1200  0.0  0.0 1645404 4796 ?        Ss   00:00   0:00  \_ postgres: smtp smtp [local] idle                      
postgres  1205  0.0  0.0 1645404 4804 ?        Ss   00:00   0:00  \_ postgres: smtp smtp [local] idle                      
postgres  1206  0.0  0.0 1646312 7828 ?        Ss   00:00   0:00  \_ postgres: reporting reporting [local] idle            
postgres  1212  0.0  0.0 1645920 4292 ?        Ss   00:00   0:00  \_ postgres: reporting reporting [local] idle            
postgres  1339  0.0  0.0 1646072 5040 ?        Ss   00:00   0:00  \_ postgres: hotspot hotspot [local] idle                
postgres  1372  0.0  0.0 1646072 5032 ?        Ss   00:00   0:00  \_ postgres: hotspot hotspot [local] idle                
postgres  2681  0.0  0.0 1645920 4816 ?        Ss   00:00   0:00  \_ postgres: sandbox sandbox [local] idle                
postgres  2709  0.0  0.0 1646052 7108 ?        Ss   00:00   0:00  \_ postgres: sandbox sandbox [local] idle                
postgres  9273  0.0  0.2 1646436 28064 ?       Ss   00:05   0:22  \_ postgres: reporting reporting [local] idle            
postgres 25447  0.0  0.0 1646312 8308 ?        Ss   00:15   0:29  \_ postgres: smtp smtp 198.19.250.2(45947) idle          
postgres  2463  0.0  0.0 1646476 11208 ?       Ss   02:26   0:00  \_ postgres: smtp smtp 127.0.0.1(35035) idle             
postgres 32075  0.0  0.0 1646048 10232 ?       Ss   11:55   0:00  \_ postgres: smtp smtp 127.0.0.1(60969) idle             
postgres 10210  0.0  0.0 1645404 4232 ?        Ss   12:01   0:00  \_ postgres: repmgr repmgr 198.19.250.2(49389) idle      
postgres 12214  0.0  0.0 1646048 9684 ?        Ss   12:02   0:00  \_ postgres: smtp smtp 127.0.0.1(42015) idle             
postgres 14888  0.0  0.0 1646100 8840 ?        Ss   12:03   0:00  \_ postgres: smtp smtp 127.0.0.1(43739) idle             
postgres 14999  0.0  0.0 1646296 7508 ?        Ss   12:03   0:00  \_ postgres: smtp smtp 127.0.0.1(43829) idle             
postgres 18862  4.5  1.6 1688088 204016 ?      Ss   12:05   0:00  \_ postgres: autovacuum worker process   reporting       
postgres 19017  0.0  0.0 1645404 3500 ?        Ss   12:05   0:00  \_ postgres: smtp smtp 127.0.0.1(46151) idle             
root     32554  0.1  0.0  14620  9368 ?        Ss   Jun28  17:00 dns-resolver.plx
root     32610  0.0  0.0  15880   752 ?        Ss   Jun28   0:55 /sbin/ntpd
root     32623  0.0  0.2  35436 24664 ?        Ss   Jun28   6:25 awed [master]
root     32646  0.0  0.2  81716 34192 ?        Ss   Jun28  14:08 smtpd [master]
root     32702  0.0  0.4  69520 49252 ?        S    Jun28   3:19  \_ smtpd [queue manager]
root     32703  0.0  0.1  42324 22576 ?        S    Jun28   0:02  \_ smtpd [sandbox_watcher]
smtp       422  0.6  0.0  10960  2904 ?        S    Jun28 101:32  \_ /bin/exim -DINPUT -bdf
smtp     13843  0.0  0.0  11288  2680 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15335  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15341  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15350  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15352  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15372  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15376  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15378  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15379  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15383  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15384  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15387  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15392  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15394  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15415  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15436  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15484  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15546  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15553  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15621  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15799  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15800  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15810  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15815  0.0  0.0  11148  1728 ?        S    12:03   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15849  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15854  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15886  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15919  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15925  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     15971  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16039  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16074  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16106  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16189  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16213  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16217  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16219  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16241  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16329  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16366  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16385  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16417  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16435  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16466  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16473  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16480  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16498  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16506  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16512  0.0  0.0  11288  2680 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16564  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16592  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16599  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16656  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16673  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16687  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16695  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16699  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16700  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16704  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16705  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16706  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16739  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16740  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16742  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16748  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16749  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16753  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16757  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16762  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16763  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16767  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16776  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16777  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16780  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16783  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16785  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16789  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16791  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16811  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16818  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16826  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16828  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16834  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16847  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16859  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16875  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16877  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16884  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16886  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16888  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16896  0.0  0.0  11148  1748 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16913  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16921  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16943  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16962  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16974  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16978  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16980  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16984  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16988  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16990  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     16994  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17017  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17021  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17029  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17035  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17037  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17038  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17041  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17044  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17047  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17050  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17070  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17076  0.0  0.0  11288  2680 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17107  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17113  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17139  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17142  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17143  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17147  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17153  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17158  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17175  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17182  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17187  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17189  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17200  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17203  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17205  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17220  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17238  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17259  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17266  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17268  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17269  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17270  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17271  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17278  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17284  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17285  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17299  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17324  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17350  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17376  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17385  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17388  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17393  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17411  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17412  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17429  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17443  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17447  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17449  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17450  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17455  0.0  0.0  11148  1728 ?        S    12:04   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17456  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17458  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17461  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17469  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17487  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17489  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17706  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17707  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17709  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17713  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17714  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17717  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17727  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17730  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17737  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17738  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17744  0.0  0.0  11288  2680 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17748  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17758  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17830  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17838  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17843  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17844  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17849  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17944  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17947  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17948  0.1  0.0  11288  2680 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17985  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17988  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17993  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     17994  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18004  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18005  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18054  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18056  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18060  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18062  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18065  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18067  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18095  0.1  0.0  11288  2680 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18102  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18104  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18105  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18106  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18113  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18126  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18149  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18150  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18173  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18254  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18258  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18278  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18289  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18291  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18303  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18310  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18329  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18331  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18332  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18333  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18348  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18355  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18363  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18365  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18371  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18374  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18437  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18466  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18490  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18493  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18499  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18528  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18538  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18540  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18545  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18547  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18550  0.3  0.0  11288  2680 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18555  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18562  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18564  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18568  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18569  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18574  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18577  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18578  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18581  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18583  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18585  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18594  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18644  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18648  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18670  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18676  0.7  0.0  11348  4144 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18690  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18712  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18717  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18721  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18723  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18728  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18731  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18735  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18740  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18743  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18746  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18748  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18750  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18754  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18756  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18757  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18759  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18761  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18762  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18765  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18766  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18767  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18768  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18773  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18776  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18777  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18778  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18779  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18781  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18782  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18785  0.4  0.0  11288  2680 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18787  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18788  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18789  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18792  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18793  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18795  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18802  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18803  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18804  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18805  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18807  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18808  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18809  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18810  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18812  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18816  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18820  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18822  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18824  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18826  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18827  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18828  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18833  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18836  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18837  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18839  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18840  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18841  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18843  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18846  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18847  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18848  0.0  0.0  11288  2420 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18850  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18851  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18853  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18854  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18855  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18857  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18858  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18864  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18865  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18870  1.2  0.0  11292  2820 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18871  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18872  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18873  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18874  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18875  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18876  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18877  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18881  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18882  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18886  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18888  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18890  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18893  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18894  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18895  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18899  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18900  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18902  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18903  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18904  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18907  0.0  0.0  11288  2420 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18908  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18910  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18913  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18916  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18917  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18918  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18919  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18920  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18923  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18925  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18928  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18929  1.3  0.0  11348  4140 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18942  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18943  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18944  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18948  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18950  5.1  0.0  11500  3456 ?        R    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18954  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18960  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18961  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18962  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18965  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18966  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18968  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18972  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18973  0.0  0.0  11148  1748 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18982  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18985  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18987  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18991  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18992  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18995  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18997  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     18999  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19000  8.0  0.0  11288  2680 ?        R    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19002  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19005  0.0  0.0  11148  1432 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19006  0.0  0.0  11148  1432 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19007  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19010  0.0  0.0  11148  1432 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19011  0.0  0.0  11148  1728 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19013  0.0  0.0  11148  1432 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
smtp     19015  0.0  0.0  11148  1432 ?        S    12:05   0:00  |   \_ /bin/exim -DINPUT -bdf
root     32062  6.0  0.3  83836 37068 ?        R    11:55   0:37  \_ smtpd [scanner]
root     18878  2.5  0.0  11088  3484 ?        S    12:05   0:00  |   \_ /bin/exim -Mc 1jtTR1-0008L8-V8
smtp     18974  0.6  0.0  11096  3008 ?        S    12:05   0:00  |   |   \_ /bin/exim -Mc 1jtTR1-0008L8-V8
root     18879  2.7  0.0  11088  3488 ?        S    12:05   0:00  |   \_ /bin/exim -Mc 1jtTR1-0008L8-Sv
smtp     18975  0.0  0.0  11096  3012 ?        S    12:05   0:00  |   |   \_ /bin/exim -Mc 1jtTR1-0008L8-Sv
root     18996  6.8  0.0  10824  1580 ?        R    12:05   0:00  |   \_ /bin/exim -Mc 1jtTRB-0008L8-4B
root     12209  8.4  0.2  81960 35408 ?        S    12:02   0:19  \_ smtpd [scanner]
root     19012 11.1  0.0  10824  1576 ?        R    12:05   0:00  |   \_ /bin/exim -Mc 1jtTQz-0003Av-QN
root     14880  6.1  0.2  82004 35188 ?        R    12:03   0:08  \_ smtpd [scanner]
smtp     18598  0.8  0.0      0     0 ?        Z    12:05   0:00      \_ [exim] <defunct>
root     32685  0.2  0.0  11504  5544 ?        Ss   Jun28  37:48 /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf --writepid /va
root     19654  0.0  0.0   3948    44 ?        S    Jun28   0:00  \_ async_auth 12
root     32717  0.0  0.0  12428  2944 ?        Ss   Jun28   0:13 /bin/httpd -f /etc/httpd/httpd.conf
root     32719  0.0  0.0   3956   420 ?        S    Jun28   0:00  \_ /bin/logger -t httpd -p local6.notice
wwwrun   32720  0.0  0.0  12472  1760 ?        S    Jun28   0:00  \_ /bin/httpd -f /etc/httpd/httpd.conf
wwwrun    5644  0.0  0.3  56816 40260 ?        S    Jun29   0:02  |   \_ /var/jape/index.plx
wwwrun   31443  0.0  0.4  56516 49368 ?        S    02:25   0:02  |   \_ /var/jape/index.plx
wwwrun   19901  0.4  0.6  89268 84956 ?        S    11:48   0:04  |   \_ /var/webadmin/webadmin.plx
wwwrun   21393  0.5  0.9 117568 113052 ?       S    11:49   0:05  |   \_ /var/webadmin/webadmin.plx
wwwrun   14191  0.0  0.0      0     0 ?        Z    12:03   0:00  \_ [httpd] <defunct>
wwwrun   17056  0.0  0.0  12828  3880 ?        S    12:04   0:00  \_ /bin/httpd -f /etc/httpd/httpd.conf
wwwrun   18349  0.0  0.0  12696  3216 ?        S    12:05   0:00  \_ /bin/httpd -f /etc/httpd/httpd.conf
wwwrun   18935  0.3  0.0  12696  3656 ?        S    12:05   0:00  \_ /bin/httpd -f /etc/httpd/httpd.conf
root       429  0.0  0.0  17772  1356 ?        Ssl  Jun28   1:12 /usr/local/bin/service_monitor
810        492  0.0  0.1  24008 16084 ?        S    Jun28   0:04 /var/chroot-http/usr/bin/sandbox_reportd.plx --chroot /var/chroot-h
810        522  0.2  0.1  25408 13888 ?        S    Jun28  32:38  \_ /var/chroot-http/usr/bin/sandbox_reportd.plx --chroot /var/chro
root     20802  1.6  0.0  35716  4156 ?        S<sl Jul03 137:30 /usr/sbin/ulogd -c /etc/ulogd.conf -d
root     12122  0.0  0.0   7660  2928 ?        Ss   Jul05   2:16 /usr/sbin/irqd
root     21292  0.0  0.0   7568   872 ?        Ss   Jul05   0:00 /usr/sbin/sshd -f /etc/ssh/sshd_config


This thread was automatically locked due to age.
Parents
  • Hi Alexander,

    Every once-in-awhile, the Up2Date process breaks something and that's what this feels like.  You've already restored an older backup and the Factory Reset should have rebuilt the PostgresSQL data bases, so my guess would be to do a re-install from ISO on both Master and Slave followed by a restore.   Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for you posting.

    No, we haven't tried that yet.

    To tell the truth we don't think it should be necessary.

    The issue is now with the highest level of Sophos support, interfacing with development.

    But we will keep your idea in the back of our mind. I Sophos support doesn't come up with a solution any time soon, we may need to try this one.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Hi,

    I'm experiencing very similar issues since around *one* month, although I have installed 9.703-3 *two* months ago:

    top - 18:18:54 up 12 min,  1 user,  load average: 7.28, 6.59, 3.88
    Tasks: 194 total,  12 running, 181 sleeping,   0 stopped,   1 zombie
    Cpu0  : 91.6%us,  6.5%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  1.9%si,  0.0%st
    Cpu1  : 94.4%us,  5.6%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
    Mem:   3951956k total,  3079324k used,   872632k free,    28376k buffers
    Swap:  4194296k total,        0k used,  4194296k free,  1674448k cached

      PID USER      PR  NI  VIRT  RES  SHR S   %CPU %MEM    TIME+  COMMAND
    10444 root      20   0 25276  17m 3524 R     21  0.5   0:00.71 aua.bin
    10451 root      20   0 22428  14m 2676 R     20  0.4   0:00.38 aua.bin
    10446 root      20   0 23200  15m 3524 R     19  0.4   0:00.57 aua.bin
    10456 root      20   0 22428  14m 2676 R     18  0.4   0:00.20 aua.bin
    10442 root      20   0 25460  18m 4148 R     16  0.5   0:00.84 aua.bin
    10448 root      20   0 22428  14m 2676 R     16  0.4   0:00.32 aua.bin
    10422 root      20   0 81256  57m 1776 R     15  1.5   0:01.15 confd.plx
    10445 root      20   0 22804  15m 3524 R     15  0.4   0:00.52 aua.bin
    10458 root      20   0 22428  14m 2676 R     12  0.4   0:00.13 aua.bin
     9395 wwwrun    20   0 90264  83m  10m S      8  2.2   0:06.17 webadmin.plx
    10427 root      20   0     0    0    0 Z      7  0.0   0:00.47 confd.plx <defunct>
     3531 root      20   0 19440  13m 2360 S      3  0.4   0:05.83 aua.bin

    CPU usage and load is very high with aua.bin as the biggest consumer.

    A reboot didn't help.

    Cheers,
    Wolfram

  • From today we are at last at the highest level of Sophos Support and Sophos Development.

    They'll look into the issue.

    I will keep my posts updated with the information from their finding.

     

    Did you open a case with Sophos

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Okay, I've dug a little deeper.

     

    Let's find out the aua.bin parent process:

    utm:/root # pgrep -P 1 -fl aua.bin
    3531 /var/aua/aua.bin
    rog:/root #

    Okay, so the parent has PID 3531.

    Let's strace this and its children:

    utm:/root # strace -tt -vv -ff -s 8192 -p 3531 -o aua.bin.strace
    Process 3531 attached
    Process 16148 attached
    Process 16154 attached
    Process 16162 attached
    Process 16163 attached
    Process 16164 attached
    Process 16168 attached
    Process 16170 attached
    Process 16178 attached
    Process 16179 attached
    Process 16180 attached
    Process 16181 attached
    Process 16182 attached
    Process 16183 attached
    Process 16196 attached
    Process 16198 attached
    Process 16199 attached
    ^C
    Process 3531 detached
    Process 16198 detached
    Process 16196 detached
    Process 16199 detached
    utm:/root #

    Okay, so lots of children are being forked and they seem to exit quickly.

    After looking at some of the strace output files, I found it might be interesting to trace the 'send' syscall:

    utm:/root # strace -tt -vv -ff -s 8192 -p 3531 -e send
    Process 3531 attached
    18:32:16.900091 send(4, "<30>Jul 14 18:32:16 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16821 attached
    [pid 16821] 18:32:16.939843 send(4, "<30>Jul 14 18:32:16 aua[16821]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 3531] 18:32:17.333632 send(4, "<30>Jul 14 18:32:17 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16822 attached
    [pid 16822] 18:32:17.362034 send(4, "<30>Jul 14 18:32:17 aua[16822]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 3531] 18:32:18.666666 send(4, "<30>Jul 14 18:32:18 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16824 attached
    [pid 16824] 18:32:18.686888 send(4, "<30>Jul 14 18:32:18 aua[16824]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16821] 18:32:18.752779 send(4, "<30>Jul 14 18:32:18 aua[16821]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.20 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16821] 18:32:18.857537 send(4, "<30>Jul 14 18:32:18 aua[16821]: id=\"3005\" severity=\"warn\" sys=\"System\" sub=\"auth\" name=\"Authentication failed\" srcip=\"185.143.73.152\" host=\"\" user=\"eproc@internal.domain\" caller=\"smtp\" reason=\"DENIED\"\0", 199, MSG_NOSIGNAL) = 199
    [pid 3531] 18:32:18.860607 send(4, "<30>Jul 14 18:32:18 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16825 attached
    [pid 16825] 18:32:18.888994 send(4, "<30>Jul 14 18:32:18 aua[16825]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16821] 18:32:19.175544 +++ exited with 0 +++
    [pid 3531] 18:32:19.400029 send(4, "<30>Jul 14 18:32:19 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16828 attached
    [pid 16828] 18:32:19.435432 send(4, "<30>Jul 14 18:32:19 aua[16828]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16822] 18:32:19.485505 send(4, "<30>Jul 14 18:32:19 aua[16822]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.20 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16822] 18:32:19.634470 send(4, "<30>Jul 14 18:32:19 aua[16822]: id=\"3005\" severity=\"warn\" sys=\"System\" sub=\"auth\" name=\"Authentication failed\" srcip=\"46.38.145.5\" host=\"\" user=\"serpent-ine@internal.domain\" caller=\"smtp\" reason=\"DENIED\"\0", 202, MSG_NOSIGNAL) = 202
    [pid 3531] 18:32:19.641834 send(4, "<30>Jul 14 18:32:19 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16829 attached
    [pid 16829] 18:32:19.692486 send(4, "<30>Jul 14 18:32:19 aua[16829]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 3531] 18:32:20.083517 send(4, "<30>Jul 14 18:32:20 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16838 attached
    [pid 16822] 18:32:20.110264 +++ exited with 0 +++
    [pid 16838] 18:32:20.126004 send(4, "<30>Jul 14 18:32:20 aua[16838]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 3531] 18:32:21.366989 send(4, "<30>Jul 14 18:32:21 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    Process 16840 attached
    [pid 16840] 18:32:21.411949 send(4, "<30>Jul 14 18:32:21 aua[16840]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16824] 18:32:21.622943 send(4, "<30>Jul 14 18:32:21 aua[16824]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.20 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 3531] 18:32:21.752101 send(4, "<30>Jul 14 18:32:21 aua[3531]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Running _cleanup_up_children with max_run_time: 20\"\0", 139, MSG_NOSIGNAL) = 139
    [pid 16824] 18:32:21.764842 send(4, "<30>Jul 14 18:32:21 aua[16824]: id=\"3005\" severity=\"warn\" sys=\"System\" sub=\"auth\" name=\"Authentication failed\" srcip=\"185.143.72.27\" host=\"\" user=\"bol@mail.internal.domain\" caller=\"smtp\" reason=\"DENIED\"\0", 201, MSG_NOSIGNAL) = 201
    Process 16841 attached
    [pid 16841] 18:32:21.783027 send(4, "<30>Jul 14 18:32:21 aua[16841]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.30 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16825] 18:32:21.810202 send(4, "<30>Jul 14 18:32:21 aua[16825]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.20 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16825] 18:32:21.946908 send(4, "<30>Jul 14 18:32:21 aua[16825]: id=\"3005\" severity=\"warn\" sys=\"System\" sub=\"auth\" name=\"Authentication failed\" srcip=\"185.143.73.48\" host=\"\" user=\"ida@internal.domain\" caller=\"smtp\" reason=\"DENIED\"\0", 196, MSG_NOSIGNAL) = 196
    [pid 16824] 18:32:22.205748 +++ exited with 0 +++
    [pid 16825] 18:32:22.350904 +++ exited with 0 +++
    [pid 16828] 18:32:22.458907 send(4, "<30>Jul 14 18:32:22 aua[16828]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.20 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16828] 18:32:22.565617 send(4, "<30>Jul 14 18:32:22 aua[16828]: id=\"3005\" severity=\"warn\" sys=\"System\" sub=\"auth\" name=\"Authentication failed\" srcip=\"46.38.150.191\" host=\"\" user=\"jack1234@mail.internal.domain\" caller=\"smtp\" reason=\"DENIED\"\0", 206, MSG_NOSIGNAL) = 206
    [pid 16829] 18:32:22.697340 send(4, "<30>Jul 14 18:32:22 aua[16829]: id=\"3006\" severity=\"info\" sys=\"System\" sub=\"auth\" name=\"Trying AAA.BBB.CCC.20 (adirectory)\"\0", 121, MSG_NOSIGNAL) = 121
    [pid 16829] 18:32:22.811387 send(4, "<30>Jul 14 18:32:22 aua[16829]: id=\"3005\" severity=\"warn\" sys=\"System\" sub=\"auth\" name=\"Authentication failed\" srcip=\"185.143.73.33\" host=\"\" user=\"nub@internal.domain\" caller=\"smtp\" reason=\"DENIED\"\0", 196, MSG_NOSIGNAL) = 196
    [pid 16828] 18:32:22.872128 +++ exited with 0 +++
    ^C
    Process 3531 detached
    Process 16840 detached
    Process 16829 detached
    Process 16838 detached
    Process 16841 detached
    utm:/root #

    So, it seems there's lots of SMTP auth bruteforcing going on while for every authentication try, a new child of aua.bin is forked, which seems to produce lots of CPU load.

    WTF?

    Cheers,
    Wolfram

  • Alexander, can you try stracing your aua.bin parent as well?

    1. Login to the UTM via SSH as root
    2. Find out the aua.bin parent PID: pgrep -P 1 -fl aua.bin
    3. Strace the send syscall of the parent and all children: strace -tt -vv -ff -s 8192 -p <AUA_PARENT_PID> -e send

    Cheers,
    Wolfram

  • Okay, I think I've found a workaround for now:

    1. Definitions & Users
    2. Authentication Services
    3. Advanced
    4. Block Password Guessing
    5. After [3] attempts
    6. Block access for [300] seconds.
    7. [x] Drop packets from blocked hosts
    8. Facilities: at least check [x] SMTP proxy
    9. Apply

    This strongly dropped CPU usage on my UTM for now.

    Well, aua.bin authentication attempts still cause high CPU usage, but individual IPs are being blocked pretty quickly now.

    You can, of course, decrease the number of attempts from 3 to 2 or even 1, for example -- YMMV. 

    The main problem of aua.bin children producing so much load and exiting quickly is still unsolved -- I believe the lifetime of these children should be much longer than it currently seems to be.

    Cheers,
    Wolfram

Reply
  • Okay, I think I've found a workaround for now:

    1. Definitions & Users
    2. Authentication Services
    3. Advanced
    4. Block Password Guessing
    5. After [3] attempts
    6. Block access for [300] seconds.
    7. [x] Drop packets from blocked hosts
    8. Facilities: at least check [x] SMTP proxy
    9. Apply

    This strongly dropped CPU usage on my UTM for now.

    Well, aua.bin authentication attempts still cause high CPU usage, but individual IPs are being blocked pretty quickly now.

    You can, of course, decrease the number of attempts from 3 to 2 or even 1, for example -- YMMV. 

    The main problem of aua.bin children producing so much load and exiting quickly is still unsolved -- I believe the lifetime of these children should be much longer than it currently seems to be.

    Cheers,
    Wolfram

Children
  • Btw I found out that almost all of these SMTP authentication tries come from many different IP addresses from the following Italian ISP:

    org-name:       Ahoura Telecommunication Corporation
    org-type:       OTHER
    address:        DE FIORE PAESAGGIO S.A.S., Via Aterno, 8, 00198 Roma RM, Italy

    Here's how my "live view" on that works:

    utm:/root # strace -tt -vv -ff -s 8192 -p 3531 -e send 2>&1 | sed -n -e '/srcip=/{s/^.*srcip=\\"//;s/\\".*$//;p}'
    46.38.150.142
    46.38.150.193
    46.38.150.203
    45.125.65.52
    46.38.145.5
    46.38.145.254
    46.38.150.94
    185.143.72.25
    46.38.150.37
    46.38.150.191
    46.38.150.142
    46.38.145.5
    46.38.150.191
    46.38.145.254
    46.38.150.37
    185.143.72.16
    46.38.150.142
    46.38.150.37
    46.38.145.254
    185.143.72.16
    212.70.149.3
    185.143.73.162
    46.38.145.253
    185.143.73.103
    185.143.73.134
    212.70.149.19
    185.143.73.157
    185.143.73.203
    212.70.149.3
    185.143.73.250
    185.143.73.93
    212.70.149.67
    185.143.73.148
    185.143.73.162
    185.143.73.142
    185.143.73.48
    46.38.145.253
    185.143.73.41
    185.143.73.175
    185.143.73.33
    212.70.149.51
    185.143.72.27
    212.70.149.3
    185.143.73.58
    185.143.73.103
    185.143.73.62
    212.70.149.19
    212.70.149.82
    185.143.73.157
    185.143.73.203
    185.143.73.134
    46.38.150.47
    185.143.73.93
    185.143.73.148
    185.143.73.250
    185.143.73.162
    185.143.73.171
    185.143.73.142
    46.38.145.253
    185.143.73.84
    185.143.73.175
    46.38.150.72
    185.143.73.33
    185.143.73.48
    185.143.73.41
    212.70.149.19
    185.143.73.62
    185.143.73.119
    185.143.72.27
    212.70.149.51
    185.143.73.58
    46.38.150.132
    185.143.73.203
    212.70.149.82
    185.143.73.103
    185.143.73.93
    185.143.73.152
    185.143.73.148
    185.143.73.142
    46.38.150.47
    185.143.73.157
    185.143.73.250
    185.143.73.84
    185.143.73.134
    46.38.150.72
    185.143.73.171
    185.143.73.175
    185.143.72.34
    185.143.73.33
    185.143.73.48
    141.98.10.208
    185.143.73.41
    185.143.73.62
    185.143.73.119
    185.143.73.58
    212.70.149.51
    46.38.150.132
    212.70.149.82
    185.143.72.27
    185.143.73.152
    185.143.72.16
    46.38.150.47
    185.143.73.171
    185.143.73.84
    46.38.150.203
    46.38.150.193
    46.38.150.72
    185.143.72.25
    185.143.73.119
    46.38.150.132
    185.143.73.152
    185.143.72.34
    46.38.150.94
    46.38.150.203
    46.38.150.193
    212.70.149.67

    Seems they are well known bad guys: https://www.abuseipdb.com/check/46.38.145.5

    Cheers,
    Wolfram 

  • What makes all this much worse is the fact that, when using the SMTP proxy of the Email Protection feature, one cannot simply block IP networks on the IP level from accessing the SMTP proxy, neither through custom rules under Network Protection -> Firewall, nor through Email Protection -> SMTP -> Relaying -> Host/Network Blacklist.

    Oh my, Sophos... m(

    So, my workaround for blocking entire IP networks from effectively accessing the UTM at all is using the Blackhole route feature under Interfaces & Routing -> Static Routing.

    It doesn't block the incoming packets, but it discards all response packets, so it successfully prevents TCP connections from being established.

    I blackholed the following networks for now which resulted in much less SMTP proxy authentication tries:

    46.38.144.0/23
    46.38.146.0/23
    46.38.148.0/22
    185.143.72.0/22
    212.70.149.0/24
    87.246.7.0/24

    Cheers,
    Wolfram

     
  • Perhaps not exactly an intellectual peak performance. But where does authentication take place with the SMTP proxy? Especially regarding brute force.
    Till now I didn’t recognize that option. Maybe I’m tired.

    Best regards 

    Alex 

    -

  • I'm afraid I don't really understand your question.

    When an SMTP authentication attempt occurs, the AUA tries to authenticate against the configured authentication services, in my case 2 Active Directory servers.

    Cheers,

    Wolfram

  • Hallo Wolfram,

    In Basic Exchange setup with SMTP Proxy, I recommend against using Authenticated Relay.  If you must use it, I recommend a blackhole DNAT on the External Interface for all traffic coming from the Internet to the SMTP Proxy.  If you need to allow traffic from employees working from home, I would suggest they connect via Remote Access.  If that's not practical, add a NoNAT rule above the blackhole DNAT for their IPs.

    You might want to ask a question in the Mail Protection forum to see if someone has found a way to avoid using Authenticated Relay in your situation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Guten Morgen Wolfram,

    thanks for you very long and detailed postings.

    I know that Sophos Support has been going down the same route.

    They also reported about a a lot of SMTP authentication requests.

    They advised to put a handful of networks (inclufing the Italian "Ahoura" network) on the firewall block and I also put them in the SMTP block list.

    But as you did, we noticed no change.

     

    I will do the blackholing and see what will come out of it.

    I'll also go through your other recomendations.

     

    What puzzles me, is that we are not using any real SMTP authentication on our firewall.

    We run our SMTP service in "SMTP Profile" mode to accept emails for our own and customer's exchange servers.

    We only are using the verification of existence of the recipient email address against our own and customer's active directories/ldap directories.

    Only two fixed, firewall-local users are allowed to authenticate and relay. No SMTP authentication against other sources is configured.

    Still Sophos Support reports of a huge amount of authentication attempts against the configured active directory and ldap servers.

    Why should the SG try and authenticate SMTP if no SMTP back-office authentication is configured?

    And why this change of behaviour all at once? We have been running this firewall cluster for almost 5 years now.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • WolframSchlich said:

    I'm afraid I don't really understand your question.

    When an SMTP authentication attempt occurs, the AUA tries to authenticate against the configured authentication services, in my case 2 Active Directory servers.

    Cheers,

    Wolfram

    OK, I see, you use the UTM as an authenticated relay. My fault, I just didn't thought of that use-case till now.

    Wish you the best

    Alex

    -

  • Hallo Wolfram,

    Sophos Support advised to put the following networks in the Firewall as "drop":

    46.38.0.0/16

    185.143.0.0/16

    212.70.149.0/24

    As you noticed, it didn't work.

    I've not put them in the "Blackhole" routing list.

    For good measure I've also added the 87.246.7.0/24 mentioned by you.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Hi Alexander,

    you're welcome -- free Platinum support ;-)

    Blackholing these spammer networks should help, I believe.

    Funny that the Sophos guys don't know their own product, as it seems ;-D

    Regarding the SMTP authentication attempts and authentication queries against the configured AD/LDAP backends:

    What kind of entries do you have under Relaying -> Authenticated Relay -> Allowed Users/Groups? Only local items, or also AD/LDAP groups, for example?

    I do have 1 AD group and 1 local group, so querying the AD for every authentication request seems reasonable by principle, in my case.

    I've not (yet) tried whether the AUA still queries the AD when I remove that AD group and just keep the local group as allowed.

    What does not seem reasonable is the high CPU load of AUA when forking and querying the AD and that every forked AUA child seems to be killed after a single AD query (the children should probably me more long-lived). Maybe something regarding this has changed in 9.703-3?

    Cheers,
    Wolfram

  • Hello Wolfram,

    it worked!!!!!! ;-)

    CPU load is back to normal.

    Now at around 11%, where it should be.

     

    Still unanswered question by Sophos is, why does the firewall want to athenticate SMTP when not SMTP authentication is configured, only verification.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner