ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

IPS_accel warnings filling up messages log


Article ID: 167861


Updated On:




Excessive logging with Sourcefire sensor 4.8.0 on XOS 8.1.A frequent syslog message from Sourcefire sensor 4.8.0 can fill up all available disk space on the /var partition. Here is an example of the log message:

Apr 15 04:02:02 ips_1 kernel: IPS_accel warning: IPS_IOCTL_PROCESS_PKT: there's an error code returning -100 early 
Apr 15 04:02:02 ips_1 last message repeated 44 times 


The error message indicates a network down condition while trying to capture packets.


An upgrade is required to resolve this issue completely. Sourcefire 4.8.0 is the last release that relied on the ips-accel module. Starting from XOS 8.5 and Sourcefire 4.8.2 the architecture changed to use VNIM instead of ips-accel and new versions don't suffer from this issue. 


As a workaround and to avoid filling up the hard drive, you can change the syslog configuration on the VAPs running Sourcefire to filter out kernel warning messages. Here are the instructions to disable sending of kernel messages at level "warning" to the CPM: 
1) Change to CPM unix prompt: 
CBS# unix su 
2) Login to the Sourcefire VAP with rsh: 
[[email protected] admin]# rsh ips_1 
3) Edit the configuration file /etc/syslog.conf. Find the following line within the file: 
*.* @primarycpm
Change the line so it looks like this: 
*.*;kern.!=warn @primarycpm 
4) Save the file and restart syslog: 
ips_1 (CBS): root$ /etc/init.d/syslog restart

The steps 2-4 need to be repeated for every Sourcefire VAP group member.