Topic: Clamav died again

[cc_skavenger]

Ok, it happened again.  Clam died and locked the subsystem.  I restarted clamd, it started.  Shut it down, it shut down correctly and restarted it again.  Everything works fine now.  I am using the latest clam rpms from pagefault.org.  It is on SME5.6 with all updates and many extras.  
Found this in the message log:
Aug 25 04:19:50 mail-server kernel: Out of Memory: Killed process 21105 (httpd).
Aug 25 04:20:07 mail-server kernel: Out of Memory: Killed process 27929 (httpd).
Aug 25 04:20:31 mail-server kernel: Out of Memory: Killed process 21090 (httpd).
Aug 25 04:20:54 mail-server kernel: Out of Memory: Killed process 21115 (httpd).
Aug 25 04:21:22 mail-server kernel: Out of Memory: Killed process 27932 (httpd).
Aug 25 04:21:55 mail-server kernel: Out of Memory: Killed process 27926 (httpd).
Aug 25 04:22:36 mail-server kernel: Out of Memory: Killed process 21128 (httpd).
Aug 25 04:23:01 mail-server kernel: Out of Memory: Killed process 27925 (httpd).
Aug 25 04:23:54 mail-server kernel: Out of Memory: Killed process 27927 (httpd).
Aug 25 04:24:12 mail-server kernel: Out of Memory: Killed process 27933 (httpd).
Aug 25 04:24:43 mail-server kernel: Out of Memory: Killed process 27930 (httpd).
Aug 25 04:25:00 mail-server kernel: Out of Memory: Killed process 27931 (httpd).
Aug 25 04:25:19 mail-server kernel: Out of Memory: Killed process 27928 (httpd).
Aug 25 04:25:48 mail-server kernel: Out of Memory: Killed process 27924 (httpd).
Aug 25 04:25:54 mail-server kernel: Out of Memory: Killed process 3445 (clamd).
Aug 25 04:25:54 mail-server kernel: Out of Memory: Killed process 3627 (clamd).
Aug 25 04:25:54 mail-server kernel: Out of Memory: Killed process 25388 (clamd).
Aug 25 04:28:44 mail-server kernel: Out of Memory: Killed process 25435 (httpd).
Aug 25 04:28:55 mail-server kernel: Out of Memory: Killed process 25446 (httpd).
Aug 25 04:29:10 mail-server kernel: Out of Memory: Killed process 25450 (httpd).
Aug 25 04:29:10 mail-server kernel: Out of Memory: Killed process 25453 (httpd).
Aug 25 04:29:13 mail-server kernel: Out of Memory: Killed process 25458 (httpd).
Aug 25 04:29:25 mail-server kernel: Out of Memory: Killed process 25465 (httpd).
Aug 25 04:29:30 mail-server kernel: Out of Memory: Killed process 25478 (httpd).
Aug 25 04:29:35 mail-server kernel: Out of Memory: Killed process 25479 (httpd).
Aug 25 04:29:41 mail-server kernel: Out of Memory: Killed process 25480 (httpd).
Aug 25 04:29:46 mail-server kernel: Out of Memory: Killed process 29527 (httpd-admin).
Aug 25 04:29:51 mail-server kernel: Out of Memory: Killed process 25350 (perl5.6.1).

Is the system really out of memory??  Using 256 Mb of RAM, about 400 users.

Any ideas, anyone?

Thanks
Marco

[bigbri100]

Log in as root and type "top" without quotes.  Maybe you can find out what is consuming all of your RAM

just wondering..
have you recently installed ASSP?

[cc_skavenger]

Here is a copy of top, nothing taking too much RAM, but there is only 21M free.  Looks like I will be adding another 512M to it.


11:58am  up 4 days, 16:09,  1 user,  load average: 0.03, 0.16, 0.30
101 processes: 95 sleeping, 6 running, 0 zombie, 0 stopped
CPU states:  2.1% user,  0.9% system,  0.0% nice, 96.8% idle
Mem:   255772K av,  233836K used,   21936K free,       0K shrd,   14864K buff
Swap:  264952K av,   90752K used,  174200K free                   82948K cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
12656 root      15   0 52596  38M 36452 R     1.7 15.3   6:25 snort-mysql
30651 root      15   0  1048 1048   812 R     0.3  0.4   0:00 top
29828 qmailr    15   0   444  444   372 S     0.1  0.1   0:00 qmail-remote
29838 qmailr    15   0   444  444   372 S     0.1  0.1   0:00 qmail-remote
29842 qmailr    15   0   444  444   372 S     0.1  0.1   0:00 qmail-remote
    1 root      15   0   480  436   416 S     0.0  0.1   0:05 init
    2 root      15   0     0    0     0 SW    0.0  0.0   0:00 keventd
    3 root      15   0     0    0     0 SW    0.0  0.0   0:00 kapmd
    4 root      34  19     0    0     0 SWN   0.0  0.0   0:00 ksoftirqd_CPU0
    5 root      15   0     0    0     0 RW    0.0  0.0   2:25 kswapd
    6 root      15   0     0    0     0 SW    0.0  0.0   0:00 bdflush
    7 root      15   0     0    0     0 SW    0.0  0.0   0:00 kupdated
    8 root      25   0     0    0     0 SW    0.0  0.0   0:00 mdrecoveryd
   16 root      25   0     0    0     0 SW    0.0  0.0   0:00 raid1d
   17 root      25   0     0    0     0 SW    0.0  0.0   0:00 raid1d
   18 root      25   0     0    0     0 SW    0.0  0.0   0:00 raid1d
   19 root      15   0     0    0     0 SW    0.0  0.0   1:26 kjournald

Thanks

[cc_skavenger]

Ok,
Things are worse.  Cannot add / delete users.  Memory usage has gone through the roof, she's going down in flames.  I have started to setup a new server with SME 6.0.1-01 and updates, but can not find a way to allow the WAN IP subnet to have local access.  In 5.6, I could put the WAN IP subnet in the local networks and viola, local access.  SME 6 will not let you.  I have a lan setup from this server to a backup server and if I go with server only, I have no backup solution.  Any thoughts, anyone?

[smeghead]

With all the spam and virus floods that happen today your system is under spec for 400 users.

I had a client system that was brought to its knees by such an event and I controlled it by upping the RAM to 768MB, installing Gordon Rowells mailfront contrib for killing bad attachments at the SMTP level (thanks for the contrib to Gordon and thanks for the Howto goes to Ray Mitchell) so the system doen't have to process the attachment; of course this is predicated on using SME 6.0.x

Since doing this I have not had any probs with this system; it occasionally slows down a bit for 30 secs but then is back to normal.  In fact the contrib was so successfull in killing the flood of garbage that I have now removed some of the RAM as it was no longer required (back to 512MB).

The WAN IP stuff is really dangerous the way you have it, try using a VPN to provide this function.  WInXP/2000 connects easily and you can enable/disable on a user by user basis.