Re: [squid-users] Information flodded in logfiles

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 21 Sep 2009 00:01:22 +1200

sandiphw wrote:
> Thank you all for valuable assistance. I am working in a corporate
> environment. squid is installed on linux server and all these desktops/
> laptops (Windows) generating these logs are through samba client. These
> thing happens very recently and request are coming from hundreds of clients.
> We have not installed any new software to any client machine.

Somebody did something to them ...

Does not have to be new software to be broken either.

>
> Anyhow, I shall try to build a syslog server, but it may takes time due to
> my limited knowledge. If you can advise me how to fix log sizes through
> squid configuration, it will give me a temporary relief.
>
> Regards,
>
> SKS

A syslog server may face the same problem. Along with lost information
as the network floods with additional GB of UDP packets containing log
information. If the network reaches flood levels important log lines
indicating problems may be lost.

  ** You ** NEED ** to ** FIX ** the ** clients ***

The fact that you say nothing changed on the clients is ringing a huge
warning bell for me.

Windows machines which have _actually_ not been changed but suddenly
start a DoS with new traffic is good sign of infections underway.

The partial-domain makes me think it the DNS settings in your network,
or a configuration update pushed out to the client machines is not quite
right.

Depending on your squid you may be able to use ACL matching domain
"ab-desktop" on the access_log to reduce the recorded traffic logged.
That will prevent you locating a suitable client to try fixing though.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.13
Received on Sun Sep 20 2009 - 12:01:37 MDT

This archive was generated by hypermail 2.2.0 : Sun Sep 20 2009 - 12:00:02 MDT