Hideki A. Ikeda (HidekiAI) [池田英紀] ["Tony" Ikeda] – BLog

It’s interesting how wishing to monitor servers for security so that we won’t have any serious networking issues can backfire…

I have several servers, including my router, forward syslogs to my only server that is running Windows, so that I have a centralized location (if needed) to monitor any issues on server(s).

I noticed this afternoon that my LAN was getting seriously slow, to a point where I couldn’t even SSH to servers due to 60 seconds timeout.  Then, I noticed that it wasn’t just one server, but also my desktop dev-system as well (basically, all my Linux boxes).

So I ran top on all my servers (and my dev-box) and the syslog-ng for all the boxes were close to 100% CPU usage.  But that didn’t tell me much except for to stop the service to calm the network down.

It just happened to be that my syslog-ng.conf of all my Gentoo boxes (and syslog.conf for Ubuntu) are usually copied or mimicked from one system (usually my dev-system), and so all my syslogs were being sent to the syslog-server.

I’ve noticed that Kiwi had stopped updating about an hour before I had stopped all the syslog services.  Just luck I guess that I’ve stumbled upon that one, because for the entire time, I thought it was some kind of virus and/or rootkit that had attacked syslog service to do some DoS damage.

Related posts

• RAID0 is Useless in Today’s Technology (0)
• Networking: AD + Linux (0)
• FireHOL + Ubuntu + gpconv|pwconv (0)
• Compiling Apache on Gentoo (0)
• Why KeepAlive Heartbeats should be on Dedicated Socket Stream (0)