massive /var/log/messages file

Subj, rotation is set on weekly basis and it works
Size of this file is around 2.5Gb
but when I’ve looked at it - it looks like it is recording loads and loads of info like iptables packets (from the look of it):
Something like this

Feb 2 03:03:31 123.123.123.123 kernel: IN= OUT=eth1 SRC=234.234.234.234 DST=201.201.201.201 LEN=49 TOS=0x00 PREC=0x00 TTL=64 PROTO=TCP…

Can someone help to minimise this unnecessary information or disable from being logged?
Is it required by any modules as a source of some kind of statistical info?

Howdy,

Are you using a firewall on your server?

And do you know if you configured Virtualmin to use iptables for bandwidth accounting, rather than using the default logfiles to accomplish that?

-Eric

Hi Eric,
yes I use standard included iptables
and no I did not change anything in terms of logging, where should I look?

Those are iptables messages, indeed. To get a first idea what rules cause those entries, you can do

iptables -L -t filter -n -v | grep LOG

since iptables rules that have “LOG” as target cause matching packets to be logged. The -v verbose option causes the packets and bytes counters to be displayed (packets is the first number in each line), so if any LOG rule has a large packet counter, you know what’s filling your syslog. :slight_smile:

cheers, Locutus
here is the output, it doesnt tell me much apart from the size

6496K 851M LOG all – eth1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 LOG all – * eth1 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 LOG all – eth1 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
4282K 8979M LOG all – * eth1 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Well the first and last lines are rules that apply to packets coming from eth1 and going to anywhere, and respectively coming from anywhere and going to eth1. Those are logged to syslog, and the counter shows that 6.4 million of the first and 4.2 million of the second have been logged since last reboot. :slight_smile:

Now you at least know why your log gets filled.

Question is now, how were these rules added. You might want to check any firewall configuration tool, i.e. the Webmin firewall module, you’re using and if that’s set to have everything logged.

Locutus, cheers again for your time!
Just looked at it and I assume this is what the cause is (in iptables rules)
chain:
Forwarded packets (FORWARD) - Only applies to packets passed through this host
rules:
“Log packet If output interface is eth1”
“Log packet If input interface is eth1”

I will eliminate these two rules and see how it goes from here.
I assume there is no need for these to be logged, even for things like fail2ban?

yes that was the problem in iptables - to log packets
it’s off now and nothing floods the system with detailed packet logs