Fail2ban.0 file over 2GB

jtreible · May 1, 2023, 2:16pm

I noticed my logfiles have gotten a little large so I did some digging.

All of my logfiles are rotating and compressing without issue.

As I was digging, I noticed a file in /var/log/asterisk called “fail2ban.0” and its 2.5GB large.

There is also a log file called fail2ban that is rotating and compressing. This file is only about 5MB but the fail2ban.0 file is over 2.5GB.

What is this file used for in the Fail2Ban system? Can I setup a logrotate.d for this file or does the whole log file need to be intact for fail2ban to continue to work properly?

Edit: If it matters, I am using:
PBX Version: 16.0.40
PBX Distro: 12.7.8-2302-1.sng7
Asterisk Version: 16.30.0

BlazeStudios · May 1, 2023, 2:20pm

Probably due to how rotation is setup. There are two factors here, time and file size. The logs rotate and remove old log files every X days (7 i think is default) but it will create .0, .1 files if the log file size reaches Y size.

For this file to grow to 2GB in less than a week means you have a lot of traffic hitting the system and you should probably check your firewall configs or at least look to see what is filling up the log file so quickly.

jtreible · May 1, 2023, 2:28pm

So its actually not just a week. This file goes back to the day of deployment. 8-3-22.

So I have fail2ban.log that is small and rotating every week.
But file fail2ban.0 that is 2.5GB since 8-3-22.

BlazeStudios · May 1, 2023, 2:37pm

Are you getting .1 or .2 or .3 files as well?

jtreible · May 1, 2023, 2:39pm

No I am not

BlazeStudios · May 1, 2023, 2:42pm

So I’d venture a guess at you setup the system and like anything exposed to the Internet it started to get hit while you were getting things into place. Happens. You can just remove the file.

lgaetz · May 1, 2023, 3:21pm

david55 · May 1, 2023, 3:34pm

I’m not sure about this case, but, as a general principle, you should not rely on removing a file for an active log file. If the file is kept open, the underlying disk space will not be released until it is eventually closed, but no-one will be able to open the file to make use of its contents. Whether this is a factor depends on whether the file is kept open between messages, or opened and closed around each message.

BlazeStudios · May 1, 2023, 3:46pm

The files timestamp is Aug 2022. It is also not the current logfile being used, which we have established is rotating fine.

jtreible · May 2, 2023, 1:27pm

Attached screenshot of log files.

The file in question (fail2ban.0) was last modified the first day I booted the new system on 8-3-22. No other .1, .2, .3s exist and logrotate.d is working on the fail2ban. You can see -20230502, back to 20230426 is active and modified on the corresponding dates and dates and older are purged.
Asterisk services are not exposed to the internet and the PBX is behind a sonicwall firewall which is also monitoring traffic.
Traffic is monitored and suspicious activity is relatively low. I monitor all fail2ban activity daily/weekly and get very low amounts of attempts if any.

dobrosavljevic · May 2, 2023, 1:35pm

Yea that looks to me like it can be simply removed.

system · May 9, 2023, 1:48pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.