LFD Stalling During DNS Lookups
Posted: 08 Mar 2013, 14:33
Hello,
I'm using generic CSF 6.0 on Gentoo.
I have a couple custom regexes that scans apache access_log and modsec_audit log. The regexes work correctly. When these rules match there is a flood of errors from a single ip, 10's of accesses per second.
Looking at strace, LFD seems to be trying to resolve the hostname for every logline that matches the pattern? Is this correct? On hosts with valid DNS, or a valid DNS server where the ip just doesn't resolve (NXDOMAIN), this is not a problem. But on hosts with a down/unreachable DNS server (SERVFAIL)), this causes LFD to "queue up" many hundreds of resolve requests while it waits for each SERVFAIL to time-out. While LFD is backed up like this, it fails to match any further log entries, and it's impossible to even restart LFD without hard kill -9'ing it... *Error* attempt to start lfd when it is already running, at line 132
Thanks
I'm using generic CSF 6.0 on Gentoo.
I have a couple custom regexes that scans apache access_log and modsec_audit log. The regexes work correctly. When these rules match there is a flood of errors from a single ip, 10's of accesses per second.
Looking at strace, LFD seems to be trying to resolve the hostname for every logline that matches the pattern? Is this correct? On hosts with valid DNS, or a valid DNS server where the ip just doesn't resolve (NXDOMAIN), this is not a problem. But on hosts with a down/unreachable DNS server (SERVFAIL)), this causes LFD to "queue up" many hundreds of resolve requests while it waits for each SERVFAIL to time-out. While LFD is backed up like this, it fails to match any further log entries, and it's impossible to even restart LFD without hard kill -9'ing it... *Error* attempt to start lfd when it is already running, at line 132
Thanks