cpanellogd - http logs exceeding limits

dlsweb

Member
Jun 17, 2004
17
1
151
Recently I began receiving a couple of these each morning for many different accounts.

Time: Sun Feb 24 07:16:56 2013 -0500
Account: xxxxxxxx
Resource: Process Time
Exceeded: 93452875 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line: cpanellogd - http logs for xxxxxxxx
PID: 4977 (Parent PID:4734)
Killed: No

This morning my customer stated his site timed out when he tried to access.
Can someone let me know what I need to do?
 

noox

Active Member
Mar 19, 2003
34
1
158
cPanel Access Level
Root Administrator
I've the same for the last 3 days now.

Time: Tue Mar 12 13:10:12 2013 +0100
Account: xxxxxx
Resource: Process Time
Exceeded: 7277999 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line: cpanellogd - http logs for xxxxxxx
PID: 28697 (Parent PID:28663)
Killed: No

I've found how to disable this mail, but I'd rather like to know why suddenly the execution time for log processing is so long.
 

pmkenney

Registered
Mar 15, 2013
2
0
1
cPanel Access Level
Root Administrator
I've found how to disable this mail, but I'd rather like to know why suddenly the execution time for log processing is so long.
How did you disable these notifications? I realize the notifications are being generated by CSF/LFD ...and that it's likely I need to add a line or two to csf.pignore, but I can't tell which process is triggering the alert. I suspect the warnings are related to a recent cPanel update to version 11.36:
Internal Perl Modules
Odd that the messages are coming in once every 24 hours at roughly the same time each morning.
 

dlsweb

Member
Jun 17, 2004
17
1
151
How did you disable these notifications?
Shouldn't the question "why the notifications" be answered first?
Out of sight doesn't mean all is OK. I don't want to assume there is no problem, thus my original question.
 

pmkenney

Registered
Mar 15, 2013
2
0
1
cPanel Access Level
Root Administrator
Shouldn't the question "why the notifications" be answered first?
Out of sight doesn't mean all is OK. I don't want to assume there is no problem, thus my original question.
Hi Larry,

Yes - good point. Are you still receiving the alerts...roughly the same time every 24 hours?
 

dlsweb

Member
Jun 17, 2004
17
1
151
Every morning- Command Line: cpanellogd - http logs for (several accounts)
 

djjelly

Registered
Mar 14, 2013
3
0
1
cPanel Access Level
Root Administrator
Every morning- Command Line: cpanellogd - http logs for (several accounts)
Personally I am getting worried about this norifications as my server was hacked earlier this month and even though I cleaned up extensively the compromised accounts, I am still very very paranoid.

However I went through LFD/CSF and followed most recomendations for securitn the server and I wander if that's why I am now receiving all the notifications that I wasn't receiving before.

It would be nice to get a reply from someone that knows if those alerts are false positives.


In addition and to what it's worth I am also receiving the below:
Subject: lfd on [ServerName] Suspicious process running under user [username]Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):

udp: [My Server IP]:49371 -> [DNS Server IP]:53


Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
 
Last edited:

rhm.geerts

Well-Known Member
Jul 29, 2008
99
8
58
Maastricht
cPanel Access Level
Root Administrator
I also have the same and am curious to a solution to this.
I already started a thread about this with cpanellogd in the title but will point to this one. It's the same time but not all domains/accounts are giving this error.
 

pcgh

Active Member
Jun 25, 2003
43
0
156
Count me in as another seeing this same problem. Occurs in the mornings when logs are being processed and lasts for a couple of hours with multiple notifications. Started with the most recent update. It does appear to be impacting server performance and response time so appears to be a very real issue. Any help would be greatly appreciated.

Tony
 

yitwail

Registered
Mar 17, 2013
4
1
3
cPanel Access Level
Root Administrator
The exact same thing happened this morning. Either a whole bunch of servers have been simultaneously compromised by a new exploit, or there's a bug in the latest cpanel.
 

pixelaté

Member
May 21, 2008
7
1
53
Same here. Been happening for a few days now.

I'd like an answer as to why it's just started occurring.
 

Kurieuo

Well-Known Member
Dec 13, 2002
106
0
166
Australia
I was informed elsewhere that the location was changed of cpanellogd, so you'll need to manually re-add it to be ignored.
 

pcgh

Active Member
Jun 25, 2003
43
0
156
The location of Webalizer did change and the csf.pignore does need to be updated accordingly. However that does not address the primary issue discussed here of cpanellogd seeming to create an undue load.

I was informed elsewhere that the location was changed of cpanellogd, so you'll need to manually re-add it to be ignored.
 

Kurieuo

Well-Known Member
Dec 13, 2002
106
0
166
Australia
Are you experiencing higher loads, or you meaning just the running time? I'm not cpanel dev but I hasn't noticed increased loads pre/after updating. So its probably always run similarly?? Just that it was already ignored. Running time doesn't necessarily affect server load as it could be sleeping/idle for much of the time. But I too would be interested in a definitive response.
 

rhm.geerts

Well-Known Member
Jul 29, 2008
99
8
58
Maastricht
cPanel Access Level
Root Administrator
I was informed elsewhere that the location was changed of cpanellogd, so you'll need to manually re-add it to be ignored.
What exactly should the new one be then? And should this symlink stay?
Code:
lrwxrwxrwx 1 root root    9 Dec 18 13:11 webazolver -> webalizer
Next to that I wonder if webalizer is indeed the only thing triggering these messages.
 

Kurieuo

Well-Known Member
Dec 13, 2002
106
0
166
Australia
Open WHM -> ConfigServer Security&Firewall

Edit "csf.pignore, Process Tracking"

Add lines:

exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
pcmd:cpanellog.*