IPS_accel warnings filling up messages log

book

Article ID: 167861

calendar_today

Updated On:

Products

XOS

Issue/Introduction

Excessive logging with Sourcefire sensor 4.8.0 on XOS 8.1.A frequent syslog message from Sourcefire sensor 4.8.0 can fill up all available disk space on the /var partition. Here is an example of the log message:

Apr 15 04:02:02 ips_1 kernel: IPS_accel warning: IPS_IOCTL_PROCESS_PKT: there's an error code returning -100 early 
Apr 15 04:02:02 ips_1 last message repeated 44 times 



Cause

The error message indicates a network down condition while trying to capture packets.

Resolution

An upgrade is required to resolve this issue completely. Sourcefire 4.8.0 is the last release that relied on the ips-accel module. Starting from XOS 8.5 and Sourcefire 4.8.2 the architecture changed to use VNIM instead of ips-accel and new versions don't suffer from this issue. 
 

Workaround

As a workaround and to avoid filling up the hard drive, you can change the syslog configuration on the VAPs running Sourcefire to filter out kernel warning messages. Here are the instructions to disable sending of kernel messages at level "warning" to the CPM: 
 
1) Change to CPM unix prompt: 
 
CBS# unix su 
 
2) Login to the Sourcefire VAP with rsh: 
 
[[email protected] admin]# rsh ips_1 
 
3) Edit the configuration file /etc/syslog.conf. Find the following line within the file: 
 
*.* @primarycpm
 
Change the line so it looks like this: 
 
*.*;kern.!=warn @primarycpm 
 
4) Save the file and restart syslog: 
 
ips_1 (CBS): root$ /etc/init.d/syslog restart

The steps 2-4 need to be repeated for every Sourcefire VAP group member.