Excessive logging with Sourcefire sensor 4.8.0 on XOS 8.1.A frequent syslog message from Sourcefire sensor 4.8.0 can fill up all available disk space on the /var partition. Here is an example of the log message:
Apr 15 04:02:02 ips_1 kernel: IPS_accel warning: IPS_IOCTL_PROCESS_PKT: there's an error code returning -100 early
Apr 15 04:02:02 ips_1 last message repeated 44 times
The error message indicates a network down condition while trying to capture packets.
An upgrade is required to resolve this issue completely. Sourcefire 4.8.0 is the last release that relied on the ips-accel module. Starting from XOS 8.5 and Sourcefire 4.8.2 the architecture changed to use VNIM instead of ips-accel and new versions don't suffer from this issue.
As a workaround and to avoid filling up the hard drive, you can change the syslog configuration on the VAPs running Sourcefire to filter out kernel warning messages. Here are the instructions to disable sending of kernel messages at level "warning" to the CPM:
1) Change to CPM unix prompt:
CBS# unix su
2) Login to the Sourcefire VAP with rsh:
[root@CBS admin]# rsh ips_1
3) Edit the configuration file /etc/syslog.conf. Find the following line within the file:
Change the line so it looks like this:
4) Save the file and restart syslog:
ips_1 (CBS): root$ /etc/init.d/syslog restart
The steps 2-4 need to be repeated for every Sourcefire VAP group member.
Imported Document ID: 000019121
Subscribing will provide email updates when this Article is updated. Login is required.