/*************************************************
**轉載自:http://iceskysl.1sters.com/?p=363
**若侵犯著作權請聯絡:lxs_lover520#qq.com
**本人將儘快處理
**************************************************/.
現象描述
項目中有台伺服器,其作業系統為RHEL 3 ,主要用途是實驗室環境以及和第三方系統的FTP伺服器,最近出現經常出現“假死”的情況,具體表現是Ping的通,但是ssh、ftp、telnet等都無法登陸,從lan console上看伺服器運行正常。每次都是遠程重啟暫時解決問題。
深入分析
今天,另外一個負責主機維護的同事發現其/var/log/messages.x中有如下資訊:
Jul 30 17:36:15 www login(pam_unix)[11819]: session opened for user siteview by (uid=0)
Jul 30 17:36:15 www — siteview[11819]: LOGIN ON pts/0 BY siteview FROM 192.168.168.42
Jul 30 17:36:15 www login(pam_unix)[11819]: session closed for user siteview
Jul 30 17:47:17 www syslogd: /var/log/secure: No space left on device
Jul 30 19:11:58 www PAM-securetty[1611]: Couldn’t open /etc/securetty
經過尋找發現其原因是核心中開啟的審核子系統LauS (Linux Auditing System)寫的日誌太多,把/var空間佔了,再次登陸的時候,由於無法寫日誌導致掛在那裡,出現假死現象。
解決方案:
定位到問題以後,就可以想辦法解決了,目前可行的辦法由四種,分別如下:
1、定期手工刪除/var/log/audit.d下的記錄檔
#刪除7天前的
find ./ -mtime +7 -type f -exec rm {} /;
2、配置crob自動刪除或者備份
SEVEN_DAYS_OLD=`/usr/locale/ebin/date ‘+%d’ –date ’7 days ago’`
if [ -f /var/log/audit/bin/bin.${SEVEN_DAYS_OLD} ]
then
rm /var/log/audit/bin.${SEVEN_DAYS_OLD}
fi
3、修改/etc/audit/audit.conf設定檔
可以通過修改audit.conf來配置,讓其自動處理
1)修改為自動刪除的:
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N ‘rm -f %f’";
[The notify line as above should (according to the docs) remove old 'save' files when the filesystem comes within 20% of full (change the figure after -T to specify how close to full you want to start deleting old files).]
2)修改為自動備份的:(/backup 是另外您想儲存資料的分區)
參考文檔 :
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
