From owner-freebsd-questions@FreeBSD.ORG  Thu Sep  9 16:50:25 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 925DA16A4D8
	for <questions@freebsd.org>; Thu,  9 Sep 2004 16:50:25 +0000 (GMT)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8154043D1D
	for <questions@freebsd.org>; Thu,  9 Sep 2004 16:50:20 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85])
	by smtp1.utdallas.edu (Postfix) with ESMTP id 03776388F6B
	for <questions@freebsd.org>; Thu,  9 Sep 2004 11:50:19 -0500 (CDT)
Date: Thu, 09 Sep 2004 11:50:36 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: FreeBSD-questions <questions@freebsd.org>
Message-ID: <44A044721750C2FA9877513F@utd49554.utdallas.edu>
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Phantom /var full messages
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Paul Schmehl <pauls@utdallas.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2004 16:50:25 -0000

I'm running snort 2.1.3 and mysql 3.23.58 on FreeBSD 4.9 RELEASE.  All 
applications are built from ports.

Periodically I get /var full messages and everything comes to a grinding 
halt.  The problem is, /var isn't full.

df -h will show /var at 104%, but du -h /var shows /var at 40% (for 
example).  If I shut down snort and mysql, wait for a minute and then start 
them back up, df agrees with du again.

The system works fine because only /var is full (although things can get 
squirrelly if I let it go long enough because the system can't write to the 
logs or the mail spool), so I can still ssh in and run utilities.

I suspect this is some sort of filehandle not being released issue, but I'm 
not sure how to track it down.  I've got lsof installed, but I'm not an 
expert on it yet.

Any hints would be welcomed.  What's the best way to troubleshoot this 
problem?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu