Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter log spams to 80GB

int_er
I've come into a scenario over the weekend where our Web log file went from 1% utilization to 100% utilization in a matter of hours (about 5 hours).  It appears that our Sophos UTM was stuck in some kind of loop that it couldn't recover from.

[HTML]
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="ssl_write" file="ssl.c" line="1227" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by peer"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Connection reset by peer"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"

...

2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"

[/HTML]

Once the system logged the 'Input/output error', it filled up the log partition pretty quickly and caused the system to eventually become unresponsive.

Has anyone seen this kind of scenario and if so how was it resolved?

My environment is the following:

[HTML]
Model:                 SG310
Firmware version: 9.315-2
Pattern version: 87377
[/HTML]

First time posting to the bulletin board so if there is additional information that is required, please let me know and I will look into it.

Appreciate any help or suggestions.


This thread was automatically locked due to age.
  • 0
    If you are a paying customer, please log a ticket with Support.
  • 0 in reply to Michael Dunn
    I already opened up a support ticket but considering support is being outsourced from another country and the fact they want Webadmin access to troubleshoot further, I figured I would try to see if the community has seen similar issues.

    We have very sensitive data within our network and so access to our UTM is restricted.

    I'm still waiting on a response from them which I posted yesterday.  We do have the Premium Support package so if there is a different route to take i'm all ears =)
  • 0
    In general (and this applies to everyone) if there is a configuration problem or a workaround needed the forum is a good place to go because what you need is information.

    However if there is a problem that requires a code fix, the only way to get that is through the developers and their priority list of what to work on is the number and size of customer issues that come to them via Support.

    This is likely the latter.
  • 0
    Hi, and welcome to the User BB!

    Not much to add to Michael's comment, just that your reseller should already be involved.

    What attempted access immediately preceded the arrival of these error messages?  Since this is a very new system, there isn't much history in the graphs and databases to lose, so, just a WAG, from the command line as root, try:

    /etc/init.d/postgresql92 rebuild 


    Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML