Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1151 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter log spams to 80GB

int_er
I've come into a scenario over the weekend where our Web log file went from 1% utilization to 100% utilization in a matter of hours (about 5 hours).  It appears that our Sophos UTM was stuck in some kind of loop that it couldn't recover from.

[HTML]
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="ssl_write" file="ssl.c" line="1227" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by peer"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Connection reset by peer"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-14:22:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"

...

2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"
2015:09:07-17:16:54 sophos httpproxy[5874]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc1c2800" function="send_request_body_send" file="request.c" line="636" message="recv: Input/output error"

[/HTML]

Once the system logged the 'Input/output error', it filled up the log partition pretty quickly and caused the system to eventually become unresponsive.

Has anyone seen this kind of scenario and if so how was it resolved?

My environment is the following:

[HTML]
Model:                 SG310
Firmware version: 9.315-2
Pattern version: 87377
[/HTML]

First time posting to the bulletin board so if there is additional information that is required, please let me know and I will look into it.

Appreciate any help or suggestions.


This thread was automatically locked due to age.
Parents
  • 0
    Hi, and welcome to the User BB!

    Not much to add to Michael's comment, just that your reseller should already be involved.

    What attempted access immediately preceded the arrival of these error messages?  Since this is a very new system, there isn't much history in the graphs and databases to lose, so, just a WAG, from the command line as root, try:

    /etc/init.d/postgresql92 rebuild 


    Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Hi, and welcome to the User BB!

    Not much to add to Michael's comment, just that your reseller should already be involved.

    What attempted access immediately preceded the arrival of these error messages?  Since this is a very new system, there isn't much history in the graphs and databases to lose, so, just a WAG, from the command line as root, try:

    /etc/init.d/postgresql92 rebuild 


    Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML