FreePBX System Statistics, Disks= /var indicator suddenly is at 72%

Hello I have an issue in my FreePBX, See, in Admin FreePBX System Status => System Statistics => Disks, indicator /var suddenly went from 20% to 72% in a week. Would it be a partition problem?. Do you have a solution?. Thank you.

check your log files in /var/log/

OK, what domI have to look for?

Or what do I have to do to solve it?. Thank you?

My guess is that asterisk “got vocal” so the rotated scripts in /var/log/asterisk/ can get out of hand.

ls -lhsrS /var/log/asterisk/*

will list the files ordered ascending by size, if any files are “big” then explore the content for why. If all is in order, feel free to delete them, but they will also be automatically rotated away by logrotate.

if not those files, then

du -h --max-depth=1 /var/log

will identify the large directories in /var/ , just iterate through the directory structure until you find why that directory is growing suspiciously.

See, today I’ve been trough /var/log/asterisk, and found that there are some files (cdr-csv, cdr-custom, event_log, freepbx-bounce_op.log, full, full.1, full.2.gz, full.3.gz and queue.log), none of them have info but full, full.q, full.2.gz and full.3.gz, it seems to be some kind of logging from events from today and days before. There are LOTS of registrers there, so I don’t know if I have to erase those registers. So what do I have to do?. Please let me know.

Idon’t know if it is “normal”, but on my FreePBX, the disks indicator at /var is now 72%, increased since one month ago. The asterisk server is about 2 years working, but suddenly increased from like 10% to 72% in one month.

My guess is that you are being “attacked”, fix your security issues and your logs will probably reduce.

I don´t think I’m under an attack because we only are two guys that knows the password. Is there another thing to try?, I mean clean logsor some?. Just saying…

I’ll wager that there are now a whole bunch of Chinese and/or Palestinians who now know (or are close to knowing) your “password” :slight_smile: .

Check the full logs for unknown ip address attempting to register an extension.

See, we just have this server working internal at our enterprise, we have no exit to a telephony operator, not now, we just have a trunk to another enterprise located in crossing the treet. We have about 59 extensions, the other enterprise has like 70 extensions, do you see?, there’s not a collapsing amount of users there…

Yeh, you´re right, I didin’t thought about searching the IP’s from the logs. But anyway, could I “clean” this huge lines from the “full” files?, are they necessary?, are they expendable?. Thanks.

the full.* files are expendable (but possible of forensic valuable) full is the active one so don’t delete it, you can logrotate it if you want to create a new “full” log. Google will explain how. Either way you need to find out what is filling up those logs so fast.

Well I don’t want to create a new “full” log, Ialready have the files full, full.1, full.2.gz, full.3.gz. Tomorrow I will see what is happening in detail. Thanks, anything more I will write you then.