This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error Filling http.log directory in UTM 9

I have a ticket open with Sophos Support, but thought I would put it out to the support community also. After the latest update (9.510-5), we started filling our http.log file with the following error:

2018:08:30-08:44:20 ansophos httpproxy[5511]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x3539ca00" function="read_winbindd_response" file="auth_adir.c" line="239" message="epoll_read_until: Transport endpoint is not connected"

Has anyone seen this before? I have removed he UTM from the domain and rejoined it but it still has not resolved the issue. 



This thread was automatically locked due to age.
Parents
  • Same on our 2 SG550 HW appliances. Our log is fludded with to same message:

    2018:09:17-15:23:08 HOSTNAME httpproxy[6786]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd2931200" function="read_winbindd_response" file="auth_adir.c" line="239" message="epoll_read_until: Transport endpoint is not connected"

    After a half day of operation the proxy is unresponsive because its overloaded from the entries in the logfile.

    Rejoining to the domain didn't resolve the issue.

    Also reset the internal DB (/etc/init.d/postgresql92 rebuild) didn't resolve the issue - suggested from support.

  • Mh. 

    Are there only those log entries or couple of other? Do you experience any issues? 

    Because if you disable the logging of allow / denied web requests in GUI, the HTTP.log will only log such "errors", which are quite normal on UTM9. This can be confusing and is a common mistake, but those log entries seems to be normal. Do you have another UTM with Web protection? You can check the other UTM with a basic grep and wc -l command. 

    Can you also post the size of your http.log? 

    The UTM gets unresponsive because of a "plain log file" seems to be unnaturally. Maybe you have another issue? 

    Can you check, if those log entries also be there on older log files? 

    __________________________________________________________________________________________________________________

  • Hi,

    as we also log the web traffic I see the accessed pages also in the http.log file.

    We experience serious issues as the web proxy isn't function until we clean the http.log (which doesn't clean itself however it is configured to do so)

    The http.log file gets as big as it can get (~96GB for the last time) in a few hours.

    We see the exact same behavior on 2 other SG550 (one of it joined to other AD domain).

    I see this error more than 20347 times per second (http.log file is growing 5MB per second) - not joking(!).

    It is a serious issue on our side because as soon as the proxy get unresponsive our applications are broken too.

    Don't know if this is related but I also see a file in /tmp which use 100% of space there (ts.28594.1537190505.31397 - 5.6GB).

Reply
  • Hi,

    as we also log the web traffic I see the accessed pages also in the http.log file.

    We experience serious issues as the web proxy isn't function until we clean the http.log (which doesn't clean itself however it is configured to do so)

    The http.log file gets as big as it can get (~96GB for the last time) in a few hours.

    We see the exact same behavior on 2 other SG550 (one of it joined to other AD domain).

    I see this error more than 20347 times per second (http.log file is growing 5MB per second) - not joking(!).

    It is a serious issue on our side because as soon as the proxy get unresponsive our applications are broken too.

    Don't know if this is related but I also see a file in /tmp which use 100% of space there (ts.28594.1537190505.31397 - 5.6GB).

Children
  • In this case, you should go with the Sophos Support to get this analyzed. 

    __________________________________________________________________________________________________________________

  • Neither you nor Kevin responded to my question above.

    Sometimes, it's necessary to physically delete the UTM account in AD before re-joining.

    There have only been a few complaints about this error message here in the last 12 years, and none with the logging problem.  I have to suspect a hardware problem in your infrastructure.

    In any case, you should insist that Support escalate your case.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm trying this for more than a week - but unfortunately without success. My last hope was to put it here. I'm not sure why this is only happening to us (on 3 boxes).

    If we get a solution to this, I'll post it here.

  • I have a case open with Sophos Support. They are still trying to determine the issure :-(