Thread: Incomplete startup packet errors
It's fairly common to see a lot of "Incomplete startup packet" in the logfiles caused by monitoring or healthcheck connections.
I wonder if it would make sense to only log that error if *at least one byte* has been received and then it becomes empty. Meaning that if the client just connects+disconnects without sending anything, we don't log anything. At least at the default log level (we could have a DEBUG level that logged "connection closed immediately").
That would get rid of a lot of logspam.
Would that make sense?
--
At 2016-04-13 10:02:22 +0200, magnus@hagander.net wrote: > > I wonder if it would make sense to only log that error if *at least > one byte* has been received and then it becomes empty. Yes, it would be very nice to eliminate that logspam, as you say. -- Abhijit
On Wed, Apr 13, 2016 at 9:02 AM, Magnus Hagander <magnus@hagander.net> wrote: > It's fairly common to see a lot of "Incomplete startup packet" in the > logfiles caused by monitoring or healthcheck connections. > > I wonder if it would make sense to only log that error if *at least one > byte* has been received and then it becomes empty. Meaning that if the > client just connects+disconnects without sending anything, we don't log > anything. At least at the default log level (we could have a DEBUG level > that logged "connection closed immediately"). > > That would get rid of a lot of logspam. > > Would that make sense? Absolutely. It would be very nice to get rid of such noise. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus@hagander.net> wrote: > It's fairly common to see a lot of "Incomplete startup packet" in the > logfiles caused by monitoring or healthcheck connections. I've also seen it caused by port scanning. -- Peter Geoghegan
On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan <pg@heroku.com> wrote:
On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus@hagander.net> wrote:
> It's fairly common to see a lot of "Incomplete startup packet" in the
> logfiles caused by monitoring or healthcheck connections.
I've also seen it caused by port scanning.
Yes, definitely. Question there might be if that's actually a case when we *want* that logging?
Magnus Hagander <magnus@hagander.net> writes:
> On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan <pg@heroku.com> wrote:
>> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus@hagander.net>
>> wrote:
>>> It's fairly common to see a lot of "Incomplete startup packet" in the
>>> logfiles caused by monitoring or healthcheck connections.
>> I've also seen it caused by port scanning.
> Yes, definitely. Question there might be if that's actually a case when we
> *want* that logging?
I should think someone might. But I doubt we want to introduce another
GUC for this. Would it be okay to downgrade the message to DEBUG1 if
zero bytes were received?
regards, tom lane
On Wed, Apr 13, 2016 at 3:56 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Magnus Hagander <magnus@hagander.net> writes:
> On Wed, Apr 13, 2016 at 10:24 AM, Peter Geoghegan <pg@heroku.com> wrote:
>> On Wed, Apr 13, 2016 at 1:02 AM, Magnus Hagander <magnus@hagander.net>
>> wrote:
>>> It's fairly common to see a lot of "Incomplete startup packet" in the
>>> logfiles caused by monitoring or healthcheck connections.
>> I've also seen it caused by port scanning.
> Yes, definitely. Question there might be if that's actually a case when we
> *want* that logging?
I should think someone might. But I doubt we want to introduce another
GUC for this. Would it be okay to downgrade the message to DEBUG1 if
zero bytes were received?
Yeah, that was my suggestion - I think that's a reasonable compromise. And yes, I agree that a separate GUC for it would be a huge overkill.
>> I've also seen it caused by port scanning. >> > > Yes, definitely. Question there might be if that's actually a case when we > *want* that logging? Is it possible a user want the log because he/she wants to notice that the system is being attacked? -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp
On Wed, Apr 13, 2016 at 10:30 AM, Tatsuo Ishii <ishii@postgresql.org> wrote: >>> I've also seen it caused by port scanning. >> >> Yes, definitely. Question there might be if that's actually a case when we >> *want* that logging? > > Is it possible a user want the log because he/she wants to notice that > the system is being attacked? Yeah, but it doesn't seem very likely, because: 1. If the system is on the Internet, it's definitely being attacked, and 2. The attacks that connect to a port and then disconnect are not the ones you should be most worried about, and 3. The right way to detect attacks is through OS-level monitoring or firewall-level monitoring, and nothing we do in PG is going to come close to the same value. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
>> Is it possible a user want the log because he/she wants to notice that >> the system is being attacked? > > Yeah, but it doesn't seem very likely, because: > > 1. If the system is on the Internet, it's definitely being attacked, and > > 2. The attacks that connect to a port and then disconnect are not the > ones you should be most worried about, and > > 3. The right way to detect attacks is through OS-level monitoring or > firewall-level monitoring, and nothing we do in PG is going to come > close to the same value. Ok, that makes sense. Best regards, -- Tatsuo Ishii SRA OSS, Inc. Japan English: http://www.sraoss.co.jp/index_en.php Japanese:http://www.sraoss.co.jp
Re: Magnus Hagander 2016-04-13 <CABUevEzq8_nSq7fwe0-fbOAK8S2YNN-PkfsamfEvy2-d3dRUoA@mail.gmail.com> > > >>> It's fairly common to see a lot of "Incomplete startup packet" in the > > >>> logfiles caused by monitoring or healthcheck connections. > > > > >> I've also seen it caused by port scanning. > > > > > Yes, definitely. Question there might be if that's actually a case when > > we > > > *want* that logging? > > > > I should think someone might. But I doubt we want to introduce another > > GUC for this. Would it be okay to downgrade the message to DEBUG1 if > > zero bytes were received? > > > > > Yeah, that was my suggestion - I think that's a reasonable compromise. And > yes, I agree that a separate GUC for it would be a huge overkill. There have been numerous complaints about that log message, and the usual reply is always something like what Pavel said recently: "It is garbage. Usually it means nothing, but better to work live without this garbage." [1] [1] https://www.postgresql.org/message-id/CAFj8pRDtwsxj63%3DLaWSwA8u7NrU9k9%2BdJtz2gB_0f4SxCM1sQA%40mail.gmail.com Let's get rid of it. Christoph