Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 Oct 2003 21:38:11 -0400
From:      Garance A Drosihn <drosih@rpi.edu>
To:        Brett Glass <brett@lariat.org>, security@freebsd.org
Subject:   Re: /var partition overflow (due to spyware?) in FreeBSD   default  install
Message-ID:  <p0600201cbbbe2f1e37c5@[128.113.24.47]>
In-Reply-To: <6.0.0.22.2.20031023183427.04e18d10@localhost>
References:  <6.0.0.22.2.20031023162326.04c1e008@localhost> <p0600201bbbbe19a62f97@[128.113.24.47]> <6.0.0.22.2.20031023183427.04e18d10@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 6:41 PM -0600 10/23/03, Brett Glass wrote:
>At 06:01 PM 10/23/2003, Garance A Drosihn wrote:
>
>  > I do not think that the correct solution is to rotate
>  > the files at an even faster rate.
>
>Running newsyslog doesn't ALWAYS rotate the log

Uh, yeah, I know.  I'm the one who has been writing updates to
newsyslog for the past year.  I am pretty familiar with it.

What I meant was that in circumstances where "once per hour"
is not fast enough, then I do not believe the right solution
is to rotate files every five minutes.  Just MO.

The main point of my message was just to say that you're
going to cause other problems by running newsyslog so often,
so you need to come up with some better solution.

>  > Just how large is /var on the machine where you're
>  > seeing this problem?
>
>On the machine from which I took those messages, it's 256M.

Well, it is certainly a problem if you're getting enough
messages to fill that up that quickly.  From the details
you gave in your original message, it *may* be that the
thing to do is to change bind so:

sysquery: no addrs found for root NS (ns0.opennic.glue)
sysquery: no addrs found for root NS (ns1.opennic.glue)
sysquery: no addrs found for root NS (ns2.opennic.glue)

is collapsed into:
sysquery: no addrs found for root NS (ns*.opennic.glue)

and then syslogd's standard handling of "multiple lines"
would come into play.  Of course, that isn't really a
great solution either.

-- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0600201cbbbe2f1e37c5>