Lilarcor Posted August 28, 2022 Share Posted August 28, 2022 (edited) The issue is caused by samba, and fixed after I removed syslog file. The issue happened again. unraid-diagnostics-20220901-2013.zip Edited September 1, 2022 by Lilarcor Quote Link to comment
itimpi Posted August 28, 2022 Share Posted August 28, 2022 2 hours ago, Lilarcor said: Fix Common Problems reported error /VAR/LOG IS GETTING FULL , I tried to a reboot and it didn't help. Please help. The issue is caused by samba, and fixed after I removed syslog file That does not sound like a real fix. Samba does not normally write much to the syslog so if it is Samba that is filling it you need to determine why (e.g. have you turned on some sort of diagnostic or audit logging in Samba). Quote Link to comment
trurl Posted August 28, 2022 Share Posted August 28, 2022 Removing syslog is most certainly NOT a fix. When it happens again don't reboot, attach diagnostics to your NEXT post in this thread Quote Link to comment
Lilarcor Posted August 31, 2022 Author Share Posted August 31, 2022 I will. Thanks for suggestion. Quote Link to comment
Lilarcor Posted September 1, 2022 Author Share Posted September 1, 2022 On 8/29/2022 at 5:17 AM, trurl said: Removing syslog is most certainly NOT a fix. When it happens again don't reboot, attach diagnostics to your NEXT post in this thread The issue happened again, I post the diag file. Quote Link to comment
trurl Posted September 1, 2022 Share Posted September 1, 2022 1 hour ago, Lilarcor said: I post the diag file. Just some advice about using the forum. Better to attach it to a new post so we don't have to go looking for it. I almost asked you why you didn't post your diagnostics yet. Since you made a new post, you might as well have attached it to that instead of editing the first post. If you hadn't made a new post, but only edited that first post, I wouldn't have visited the thread again since there wouldn't have been any new posts to read. Quote Link to comment
trurl Posted September 1, 2022 Share Posted September 1, 2022 Unrelated Your appdata share has files on the array. Why do you have 50G docker.img? Have you had problems filling it? 20G is usually more than enough. A common reason for filling docker.img is an application writing to a path that isn't mapped. Quote Link to comment
trurl Posted September 1, 2022 Share Posted September 1, 2022 You have something from IP 192.168.6.72 constantly opening and closing ssh sessions, that is one of the things filling your log Sep 1 07:20:00 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:01 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:01 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 0 Sep 1 07:20:01 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 0 Sep 1 07:20:01 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:03 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:03 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 0 Sep 1 07:20:04 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 0 just like that over and over. And then a lot of this Sep 1 19:50:48 unraid smbd_audit[3870]: connect to service backup by user sharewrite Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: disconnected over and over. I suspect that is coming from the same IP. Did you look at your syslog? Do you know what is at that IP? Quote Link to comment
Lilarcor Posted September 1, 2022 Author Share Posted September 1, 2022 8 hours ago, trurl said: Unrelated Your appdata share has files on the array. Why do you have 50G docker.img? Have you had problems filling it? 20G is usually more than enough. A common reason for filling docker.img is an application writing to a path that isn't mapped. As I have lots of container, 20GB isn't enough, so I expanded it. Quote Link to comment
Lilarcor Posted September 1, 2022 Author Share Posted September 1, 2022 8 hours ago, trurl said: You have something from IP 192.168.6.72 constantly opening and closing ssh sessions, that is one of the things filling your log Sep 1 07:20:00 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:01 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:01 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 0 Sep 1 07:20:01 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 0 Sep 1 07:20:01 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:03 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 1 Sep 1 07:20:03 unraid sshd[1066]: Starting session: command for root from 192.168.6.72 port 35798 id 0 Sep 1 07:20:04 unraid sshd[1066]: Close session: user root from 192.168.6.72 port 35798 id 0 just like that over and over. And then a lot of this Sep 1 19:50:48 unraid smbd_audit[3870]: connect to service backup by user sharewrite Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: openat ./. (fd 11) Sep 1 19:50:48 unraid smbd_audit[3870]: close fd 11 Sep 1 19:50:48 unraid smbd_audit[3870]: disconnected over and over. I suspect that is coming from the same IP. Did you look at your syslog? Do you know what is at that IP? 6.72 is a vpn server but I don't think this one caused the issue. And 2nd part is the root reason, seems they came from samba log, so far, I have to omit samba log , then the issue is gone. [global] syslog only = No syslog = 0 logging = 0 Quote Link to comment
EdEpiphBKNY Posted November 1, 2022 Share Posted November 1, 2022 On 9/1/2022 at 6:40 PM, Lilarcor said: 6.72 is a vpn server but I don't think this one caused the issue. And 2nd part is the root reason, seems they came from samba log, so far, I have to omit samba log , then the issue is gone. [global] syslog only = No syslog = 0 logging = 0 This seems like a work around and not a real solution to the problem. Has anyone else figured out the cause of this? Quote Link to comment
itimpi Posted November 1, 2022 Share Posted November 1, 2022 2 hours ago, EdEpiphBKNY said: This seems like a work around and not a real solution to the problem. Has anyone else figured out the cause of this? The culprit seems to be the Recycle Bin plugin, although the latest release is meant to have corrected this issue. Quote Link to comment
radiolex Posted November 2, 2022 Share Posted November 2, 2022 On 9/1/2022 at 6:40 PM, Lilarcor said: 6.72 is a vpn server but I don't think this one caused the issue. And 2nd part is the root reason, seems they came from samba log, so far, I have to omit samba log , then the issue is gone. [global] syslog only = No syslog = 0 logging = 0 I seem to have the same issue. Lots of logs related to smbd_audit. It's causing my VMs to stop working since the Logs folder is full. This only started happening after 6.11.1 Quote Link to comment
dlandon Posted November 2, 2022 Share Posted November 2, 2022 Clear everything from the smb-extra.cfg file remove and re-install recycle bin plugin. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.