linux-malware-detect icon indicating copy to clipboard operation
linux-malware-detect copied to clipboard

Published 20 hours ago verified publisher icon rfxn

inotify_log gets very large

Open randallsevery opened this issue 5 years ago • 6 comments

We have been using maldetect on all of our CentOS 7 servers for many years, but recently enabled inotify support on several of the servers for use with another tool on the server. What I didn't realize at the time is the effect that would have on maldetect until one of the servers almost ran out of disk space. When I dug into what was using all of the disk space, I found that the /usr/local/maldetect/logs/inotify_log file was using up 150Gb of disk space by itself! I deleted the file and restarted maldetect and the disk space returned to normal, but now that I'm watching it I see that it is filling up rapidly again. I set up a daily cron job to delete that file and restart maldetect, which seems like fixing the issue with a sledgehammer, but looking at the file now after only 16 hours the file is already 6Gb in size. So I have the following questions:

  1. Is the inotify_log file actually needed? Is there any way to disable it? (I couldn't find such a way after an exhaustive search)
  2. Is there any way to force maldetect to regularly clear the inotify_log file and recreate it?
  3. I found that the --purge option deletes the other log files, but not the inotify_log file, why?
  4. If the answers to the above questions don't provide a viable solution, what is the best way to keep the inotify_log file from consuming the entire disk?

randallsevery avatar Dec 12 '19 21:12 randallsevery 

-p, --purge
   Clear logs, quarantine queue, session and temporary data.

After this you can set maxfilesize to prevent from become again big

nikoup avatar Jun 17 '20 17:06 nikoup

im having the same problem and am unable to find the config option to set the max logfile size which option is it and in which of the config files is it?

L0ric0 avatar Aug 09 '20 12:08 L0ric0

@L0ric0 is the 'ed' command available on your system?

rfxn avatar Aug 15 '20 15:08 rfxn

@rfxn no but i can install it

L0ric0 avatar Aug 30 '20 09:08 L0ric0

Hi, The problem is that logrotate is not rotating these files, I have solved it as follow.

nano /etc/logrotate.d/maldet /usr/local/maldetect/logs/event_log /usr/local/maldetect/logs/clamscan_log { weekly
rotate 4 size=100M missingok notifempty compress delaycompress create 0644 root root } /usr/local/maldetect/logs/inotify_log { weekly rotate 4 size=100M missingok notifempty compress delaycompress create 0640 root root postrotate /bin/systemctl condrestart maldet.service > /dev/null 2>/dev/null || true endscript }

Testing as follow.

Test - Debug - Run logrotate.

logrotate -d -f /etc/logrotate.d/maldet

-d is with debug, check if you see something not right!

logrotate -f /etc/logrotate.d/maldet

-f is run forced, check the /usr/local/maldetect/logs folder to find the rotate files and see if the inotify_log is growing

Hope that helps anyone else who comes here :-) Cheers.

TheFryingPI avatar May 06 '21 07:05 TheFryingPI

Hi,

In my case MySQL temp files were monitoring and adding to /usr/local/maldetect/logs/inotify_log

^/var/tmp/mysql.sock$ ^/tmp/mysql.sock$ ^/var/cache/buagent/md0.cache.data$ ^/var/tmp/#sql_..MYD$ ^/tmp/#sql_..MYD$ ^/tmp/#sql_..MAD$ ^/tmp/#sql_..MAI$ ^/var/tmp/clamav-.* ^/tmp/clamav-.* ^/usr/local/maldetect* ^/dev/pts* ^/dev/null

I added the two entries marked in bold to /usr/local/maldetect/ignore_inotify

Also using the log rotation mentioned by @TheFlyingPL but daily other than weekly.

WebHostingAce avatar May 23 '21 05:05 WebHostingAce