/var/log/auth.log is consuming excessive diskspace in NSX-T manager directory /var/log folder
search cancel

/var/log/auth.log is consuming excessive diskspace in NSX-T manager directory /var/log folder

book

Article ID: 318288

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article helps to understand if /var/log/auth.log is consuming excessive diskspace in NSX-T manager and to change the auth.log rotation settings in effected environment to reduce diskspace consumption under /var/log folder.

Symptoms:
  • /var/log/auth.log is consuming excessive diskspace in NSX-T manager directory /var/log folder. This caused the /var/log folder to grow to 80% full or higher.
  • auth.log file will show very large count for login failures.
cat auth.log | grep "Refused user ##_vrops_##@##.##.##.com for service nsx-local-pam" | wc -l
5909619 <<
 
ls -lh | grep auth.log
-rw-rw-r-- 1 svc.datamover support  3.0G Aug  6 23:47 auth.log

Environment

VMware NSX-T Data Center 3.x

Cause

In versions prior to NSX-T 3.2.0, the auth.log log file was set to rotate weekly or on the first day of the week.

Resolution

  • This issue has been fixed in NSX-T version 3.2.0 or higher. The auth.log file is adjusted to rotate based on size.

    Workaround:
    Edit '/etc/logrotate.d/rsyslog' on all 3 managers to adjust the log rotation to be based on size.

  • Append the following to '/etc/logrotate.d/rsyslog' on all three managers underneath the line /var/log/auth.log.
  • After updating, run `/usr/sbin/logrotate -d /etc/logrotate.conf 2>&1` to rotate the logs.

    /var/log/auth.log
    {
    rotate 9
    size 48M
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
    invoke-rc.d rsyslog rotate >/dev/null
    endscript
    }

Additional Information

Impact/Risks:
Excessive storage consumption.

Powered by Wolken Software