cpanellogd - http logs exceeding limits

[dlsweb]

Recently I began receiving a couple of these each morning for many different accounts.

Time: Sun Feb 24 07:16:56 2013 -0500
Account: xxxxxxxx
Resource: Process Time
Exceeded: 93452875 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line: cpanellogd - http logs for xxxxxxxx
PID: 4977 (Parent PID:4734)
Killed: No

This morning my customer stated his site timed out when he tried to access.
Can someone let me know what I need to do?

 

[noox]

I've the same for the last 3 days now.

Time: Tue Mar 12 13:10:12 2013 +0100
Account: xxxxxx
Resource: Process Time
Exceeded: 7277999 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line: cpanellogd - http logs for xxxxxxx
PID: 28697 (Parent PID:28663)
Killed: No

I've found how to disable this mail, but I'd rather like to know why suddenly the execution time for log processing is so long.

 

[dlsweb]

I've found how to disable this mail, but I'd rather like to know why suddenly the execution time for log processing is so long.

I agree with that

 

[pmkenney]

I've found how to disable this mail, but I'd rather like to know why suddenly the execution time for log processing is so long.

How did you disable these notifications? I realize the notifications are being generated by CSF/LFD ...and that it's likely I need to add a line or two to csf.pignore, but I can't tell which process is triggering the alert. I suspect the warnings are related to a recent cPanel update to version 11.36:
Internal Perl Modules
Odd that the messages are coming in once every 24 hours at roughly the same time each morning.

 

[dlsweb]

How did you disable these notifications?

Shouldn't the question "why the notifications" be answered first?
Out of sight doesn't mean all is OK. I don't want to assume there is no problem, thus my original question.

 

[pmkenney]

Shouldn't the question "why the notifications" be answered first?
Out of sight doesn't mean all is OK. I don't want to assume there is no problem, thus my original question.

Hi Larry,

Yes - good point. Are you still receiving the alerts...roughly the same time every 24 hours?

 

[dlsweb]

Every morning- Command Line: cpanellogd - http logs for (several accounts)

 

[djjelly]

Every morning- Command Line: cpanellogd - http logs for (several accounts)

Personally I am getting worried about this norifications as my server was hacked earlier this month and even though I cleaned up extensively the compromised accounts, I am still very very paranoid.

However I went through LFD/CSF and followed most recomendations for securitn the server and I wander if that's why I am now receiving all the notifications that I wasn't receiving before.

It would be nice to get a reply from someone that knows if those alerts are false positives.


In addition and to what it's worth I am also receiving the below:
Subject: lfd on [ServerName] Suspicious process running under user [username]Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):

udp: [My Server IP]:49371 -> [DNS Server IP]:53


Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log

 

[MarkDalton]

Hi Larry,

I have exactly the same issue. I don't really want to add the ignore as this will block all process notifications from perl.

 

[rhm.geerts]

I also have the same and am curious to a solution to this.
I already started a thread about this with cpanellogd in the title but will point to this one. It's the same time but not all domains/accounts are giving this error.

 

[pcgh]

Count me in as another seeing this same problem. Occurs in the mornings when logs are being processed and lasts for a couple of hours with multiple notifications. Started with the most recent update. It does appear to be impacting server performance and response time so appears to be a very real issue. Any help would be greatly appreciated.

Tony

 

[yitwail]

The exact same thing happened this morning. Either a whole bunch of servers have been simultaneously compromised by a new exploit, or there's a bug in the latest cpanel.

 

[pixelaté]

Same here. Been happening for a few days now.

I'd like an answer as to why it's just started occurring.

 

[Kurieuo]

I was informed elsewhere that the location was changed of cpanellogd, so you'll need to manually re-add it to be ignored.

 

[pcgh]

The location of Webalizer did change and the csf.pignore does need to be updated accordingly. However that does not address the primary issue discussed here of cpanellogd seeming to create an undue load.

I was informed elsewhere that the location was changed of cpanellogd, so you'll need to manually re-add it to be ignored.

 

[Kurieuo]

Are you experiencing higher loads, or you meaning just the running time? I'm not cpanel dev but I hasn't noticed increased loads pre/after updating. So its probably always run similarly?? Just that it was already ignored. Running time doesn't necessarily affect server load as it could be sleeping/idle for much of the time. But I too would be interested in a definitive response.

 

[planetjoin]

Hello

is happening the same in one of my servers..

Cpanel people have any clue about this?

Regards
Fabian

 

[rhm.geerts]

I was informed elsewhere that the location was changed of cpanellogd, so you'll need to manually re-add it to be ignored.

What exactly should the new one be then? And should this symlink stay?

lrwxrwxrwx 1 root root    9 Dec 18 13:11 webazolver -> webalizer

Next to that I wonder if webalizer is indeed the only thing triggering these messages.

 

[Kurieuo]

Open WHM -> ConfigServer Security&Firewall

Edit "csf.pignore, Process Tracking"

Add lines:

exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
pcmd:cpanellog.*

 

[rhm.geerts]

Thank you, however, I leave cpanellog.* out of there because I like to get notices if things go wrong.

Do you know the answer to the question about the old symlink too?