Why has /var/log/messages gone crazy?

[joseppi]

Several days ago, my /var/log/messages (and syslog and user.log) went crazy adding entries so fast that my system crashed due to the root partition filling up and giving a "no space left" message.

Thanks to help from this forum and another forum, I was able to delete enough files to regain enough file space to get the system restarted, and I then flushed the overloaded error message files and for several days, no messages were added in /var/log/messages , syslog, and user.log for about a week. I was checking for new messages every day or two and all seemed to be okay until today, something caused the /var/log/messages and syslog files to start filling up rapidly again.  This time I saved 1,000 of the most recent entries in the messages file (several thousand messages were added today), shut the system down, and rebooted.  After that, the messages and syslog files slowed down to a trickle ... but how can I figure out what is causing a flare-up like this?

I've posted the last 1,000 entries at this link: http://www.upquick.com/temp/messages.last1000

As you can see, messages were being added at a rate of 15 to 20 per second before I shut the system down.  After reboot, messages were only added every couple of minutes or so.

Can anyone please tell me what might be causing these message flare-ups and how to stop it.

-rw-rw-r-- 1 root    273529 Sep 10 03:54 user.log.1
-rw-rw-r-- 1 root    364185 Sep 10 04:02 syslog.1
-rw-rw-r-- 1 root    361529 Sep 10 04:02 messages.1

-rw-rw-r-- 1 root   4755667 Sep 14 17:57 user.log
-rw-rw-r-- 1 root   5114200 Sep 14 17:57 syslog
-rw-rw-r-- 1 root   5092302 Sep 14 17:57 messages

-rw-rw-r-- 1 root   4756252 Sep 14 17:59 user.log
-rw-rw-r-- 1 root   5114992 Sep 14 17:59 syslog
-rw-rw-r-- 1 root   5093094 Sep 14 17:59 messages

[kjpetrie]

Most of the messages you saved simply show a reboot, but the first few hundred show ACPI in serious trouble over an IO port address. I would suspect a loose or dirty connection or a bad soldered joint somewhere as a first guess.

[joseppi]

What is ACPI and how can I correct whatever problem it has?

And how could I look for or trace a "loose or dirty connection or bad soldered joint"?

The computer is in a clean, safe, stable location and has been running fine for more than a year without being moved and without any changes to any connections, so how could a "loose or dirty or bad joint" occur?  And why would the system work fine after a reboot if there was such a bad connection?

[kjpetrie]

ACPI stands for Advanced Configuration and Power Interface and it's where the OS meets the BIOS to configure and control hardware. ACPI is the system which switches the machine off when you shutdown, for instance. That's why I thought lots of ACPI addressing errors might point to hardware problems. Undisturbed metal oxidises and loses its resilience.

However, I also notice user.log is growing almost as fast as syslog and messages, and that suggests you're being spammed by fake log-in attempts. Have you got SSH open to the world? That's very dangerous as there are programs out there which will throw common user names and passwords at your machine several times each second until they find a match and they're in. They will have full access to your home directory and they only have to send su with random passwords until they break root and they will own your entire machine. It might take a few weeks but programs don't get tired and can keep at it 24 hours a day.

[joseppi]

Thanks. I don't think I have any security vulnerabilities,
but this explanation is very helpful and seems logical.

It gives me something to investigate. (if I only knew how to do so

[kjpetrie]

Open user.log and take a look. That'll tell you for sure.