hello all,
As I logged in to my OpenSuse today I noticed a messaged in GUI that said that I have / partition full.
How can I find what process or … what happened because yesterday I had a lot of disk space.Is there a log file for this?
Thanks!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
First, find out what is actually full, and post the output from:
df -h
Good luck.
ionpetrache wrote:
> hello all,
>
> As I logged in to my OpenSuse today I noticed a messaged in GUI that
> said that I have / partition full.
> How can I find what process or … what happened because yesterday I
> had a lot of disk space.Is there a log file for this?
>
> Thanks!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIcBAEBAgAGBQJKXKGsAAoJEF+XTK08PnB5z20QAJt9jq95SNx1+psjpXvsJ0VZ
ngtyofW3wEjsu5N5P5uu4uQEfZSmcqj1am0fBztrcc6ba4WMXMXUxJ45d6rA2iAX
EIzCp4Oes/EcK5GrkVB2tqpKXnw100kXPj03NJP+oxKYj/6rzQKaTXmK/WWon63P
D37eYs3z11wPY0H1L1OSnjocR0sKfnw5DDZeu6BbujyprQ0X54ftlj+nCkU4qR/0
nSTL57nDEL/31DUuLV5cvjC21nvlFPSSguhsakfEeT7e1yxG10IJ/k0qBvQmpAB6
s0/vyjZYpd22isUeIiUpew5YgWkJv/4h2lbOPgHI6eLQmIT8JVT1QVVV5cvUTosD
s6s7yGwmIAI5Rz8wheKtG5ZiYzHtXp3pTa7zGqaGr67gvyu6p84zM3LFB9HrlKzF
pjNKTKnNR7DnvMagbKUHUeWWu0yzRhpsOy3wUOQe7SLsPh1dwG98VAzml1SwFakX
WA9gTW/YMdQHG6DmwaPgRFN5V6mF0+khGXEIEBNABgzFngGzpag0lrL1zYZf/ixv
/EApHGNvvK/qguStuRHmMogvmfzRKq8Nf1VvA4jt0ZPhaDu4Vl8oKWvnyFIiaufl
IQA3vu6eG1Oil9bevLsJzfi7ZimixR6iAUgVPdRSSL4B6Z2Qvqvn0SKCBeSGG1sN
RtNO7ZXMKRBJNZ1lckrE
=zbNR
-----END PGP SIGNATURE-----
and, if it is full it is (i GUESS) a runaway log file…look in
/var/log for a monster file or more…
or, it might actually be full because of a hardware problem in which
much of the drive became inaccessible…
–
brassy
The output of df -h is:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 14G 14G 0 100% /
udev 125M 56K 125M 1% /dev
/dev/sda2 23G 198M 22G 1% /home
ionpetrache wrote:
> The output of df -h is:
>
> Filesystem Size Used Avail Use% Mounted on
> /dev/sda3 14G 14G 0 100% /
> udev 125M 56K 125M 1% /dev
> /dev/sda2 23G 198M 22G 1% /home
>
i know you did as AB said, and i know that AB knows a LOT more about
this than i do, and i know that s/he will come to work in a few hours,
but:
all i can tell from above is that, in fact, your hard drives partition
sda3 is full…and, that sda3 is where the root directory (/) is mounted…
do, the following in a terminal, post the results back here and maybe
AB can zero in on the monster:
su [and supply root password when requested, then]
cd / && du -cks * | sort -rn | head -11
depending on magic, it might take several minutes for that to
run…during that time not much seems to happen, but it is…so, be
patient…
AB, over to you!
–
brassy
The output of the command is:
cd / && du -cks * | sort -rn | head -11
du: cannot access proc/13114/task/13114/fd/4': No such file or directory du: cannot access proc/13114/task/13114/fdinfo/4’: No such file or directory
du: cannot access proc/13114/fd/4': No such file or directory du: cannot access proc/13114/fdinfo/4’: No such file or directory
14081484 total
9958596 var
3109840 usr
833604 opt
72572 lib
43460 etc
26368 home
9844 boot
9800 root
9340 sbin
7568 bin
ionpetrache wrote:
> The output of the command is:
>
> cd / && du -cks * | sort -rn | head -11
> du: cannot access `proc/13114/task/13114/fd/4’: No such file or
directory
du: cannot accessproc/13114/task/13114/fdinfo/4': No such file or > directory > du: cannot accessproc/13114/fd/4’: No such file or directory
du: cannot access `proc/13114/fdinfo/4’: No such file or directory
> 14081484 total
> 9958596 var
> 3109840 usr
> 833604 opt
> 72572 lib
> 43460 etc
> 26368 home
> 9844 boot
> 9800 root
> 9340 sbin
> 7568 bin
>
ok…in my first note to you i mentioned it was probably a runaway
log…and, since logs are in var, the above point toward that
also…do this
sudo ls -ahoRS /var/log | head
and give the root password when challenged…
then post the results back here…i guess we will find something like
zypper.log, messages or firewall is filled with something that may or
may not be important AND your log rotate needs to be adjusted, and
maybe whatever is being reported to the log needs attention…
hopefully, someone smarter than me can help you with that…
–
brassy
ls -ahoRS /var/log | head
/var/log:
total 9.4G
-rw-r----- 1 root 9.4G Jul 14 08:45 firewall-20090714
-rw-r----- 1 root 8.6M Jul 14 13:38 firewall-20090714.bz2
-rw-r----- 1 root 4.8M Jul 15 13:16 firewall
-rw-r----- 1 root 2.5M Jul 13 13:25 firewall-20090713.bz2
-rw-r----- 1 root 1.6M Jul 11 13:22 firewall-20090711.bz2
-rw-r----- 1 root 1.3M Jul 15 08:49 zypper.log
-rw-r----- 1 root 936K Jul 15 14:46 messages
-rw-r----- 1 root 766K Jul 15 14:46 warn
yes, seems to be a firewall log but why such a big file???and how can I make a size limit on log files …or I should make a script to delete files in /var/log day by day?
Thanks a lot for the information!
in Yast firewall settings, you can turn off firewall logging 
I wonder why logrotate hasn’t rotated your logs :\
Thanks!Now everything seems to be OK.
ionpetrache wrote:
> Thanks a lot for the information!
welcome…looks like someone is knocking at your door…probably a
cracker in china or some other place…i’m not qualified to help you
sort out exactly what is going on…it could be anything from a
harmless annoyance to a full fledged crack…
ok, i helped you find the problem, someone else has to help you FIX
it…sure you can just turn off firewall logging…but, then you
loose all chances of fixing a hole in the damn, if there is one!
and, as for log rotate–mine wasn’t set tight enough either…but, i
sure don’t remember what i did to fix that…sorry…
you can start with
man logrotate
in a terminal…
and, search the forum <http://forums.opensuse.org/search.php> for
nuggets of gold…and ask questions as/when you run into trouble…
but, to get your machine back to nearer normal you could temporarily
turn off firewall logging while you figure out a logrotate scheme
which does what needs to happen…
good luck…and, AB you are still invited to step back in…
–
brassy
the amount of firewall logging is adjustable. If one wants, he can turn on logging only for critical stuff and disable all others
My firewall was set to log all the traffic so I think that was the problem:P
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
brassy - You don’t give yourself enough credit. 
ionpetrache - Good work (and brassy) finding the issue. Why didn’t
logrotate take care of it? I’m guessing it is only set to rotate once per
period of time or when a certain size is reached. logrotate does not run
every second so if it is set to run daily (like mine is) and that is set
to only rotate when a certain size is reached, then the excessive size
(per an attack, for example) could have been generated between rotations.
For example on my SLED 11 box I have the following in
/etc/logrotate.d/syslog which defines when various logs are rotated:
/var/log/warn /var/log/messages /var/log/allmessages
/var/log/localmessages /var/log/firewall /var/log/acpid
/var/log/NetworkManager {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload
endscript
}
As logrotate is called daily I could have a full day for somebody to
attack my box. Advice on what to do here can vary. First, if you’re
interested, look for patterns after you truncate /var/log/firewall for
anything worthwhile. Second, turn down logging unless you plan to use it
from time to time as you have likely already done. Third, your root
partition is fourteen gigabytes. That should be plenty for most
situations, but you may want to give more, or partition off /var in the
future, so filling variable spaces (like logs) does not impact your entire
system as adversely. Fourth, you could setup logrotate to run more often
to catch randomness like this.
Fifth, and possibly most-importantly, if your box is on a public network
directly accessible then stop that now. Most of the time there is no
reason to expose a non-server to the Internet directly. I can’t imagine
this would happen if you were behind a router at home or at work normally.
Good luck.
ionpetrache wrote:
> My firewall was set to log all the traffic so I think that was the
> problem:P
>
> microchip8;2012748 Wrote:
>> the amount of firewall logging is adjustable. If one wants, he can turn
>> on logging only for critical stuff and disable all others
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIcBAEBAgAGBQJKXeZDAAoJEF+XTK08PnB5gkIP/izG41ChJkO8fs7yJEAigNwG
ZDfAEKbsiSyKrBAGRG+kOOOz356kYrDic7c2yjkfriRXxk+AdTDX/dfefsTCrgr1
QqeYUd2OCverymTyephdT4tVEdinhjVxrGFmIWBbYTaXxlFeaxxgBXVApE48GZzC
ARKq9yBN6fxo60vGePANPmLqHSycMPOeem7glRpKoWvLmB9YD8tcCDascmH2kqBB
zYd6cq6Pr0wHbVHwX/+i/mymZ5l2MuhGPCjeElH/mOklGtrtp9URnlvZ1jqOto6X
EySB7P7C2ChYteg+y0ac0mSDuM2X1RV5LpJbNsvIhZZRgKboOHc1y3vCLQCjZKbR
B3bka0LgxviDKXTownSQwkT3pl3jjrKjEC9Ogss+cXBcE0yzqC4aBxNXwxk2WsWt
biHWgyFSh+aV3h1scHq24TNo59xVfCONsL/gltf51+BQiQ6Bvt1VCa7ZZtJjCeTJ
ov+NmXkpj/9sRbvIQQNm+FfW1XnDBng+tMpfwQwa4QN1dJ4BAXASCMe0chBJ1XpR
URvahuCF3+a2VNIS7gQnAYlpYSHcv0kLQLhRS7pIo/Jfqvoof7z3cZMWfalNjsbH
DviG0icX58kmkuUrvXHMUCkEr5D7gTA6bcyoa+lij1JPK5aOr+tbfhjut7jqwVQj
fwwPWTwNXzRoNzmHueiE
=H90J
-----END PGP SIGNATURE-----