From owner-freebsd-questions@FreeBSD.ORG  Thu Sep  9 17:41:47 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 55E0216A4CE
	for <questions@freebsd.org>; Thu,  9 Sep 2004 17:41:47 +0000 (GMT)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3973243D1F
	for <questions@freebsd.org>; Thu,  9 Sep 2004 17:41:47 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85])
	by smtp1.utdallas.edu (Postfix) with ESMTP id F273A389199;
	Thu,  9 Sep 2004 12:41:46 -0500 (CDT)
Date: Thu, 09 Sep 2004 12:42:03 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: Bill Moran <wmoran@potentialtech.com>
Message-ID: <4F74CEAE598E547F3B43C2C3@utd49554.utdallas.edu>
In-Reply-To: <20040909130333.67242dc4.wmoran@potentialtech.com>
References: <44A044721750C2FA9877513F@utd49554.utdallas.edu>
 <20040909130333.67242dc4.wmoran@potentialtech.com>
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
cc: questions@freebsd.org
Subject: Re: Phantom /var full messages
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Paul Schmehl <pauls@utdallas.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2004 17:41:47 -0000

--On Thursday, September 09, 2004 01:03:33 PM -0400 Bill Moran 
<wmoran@potentialtech.com> wrote:
>>
>> Any hints would be welcomed.  What's the best way to troubleshoot this
>> problem?
>
> First, if you could isolate it to just snort or just MySQL.
>
> Typically, folks have this problem because they try to rotate log files
> without restarting the program that's logging to them.  The rotate program
> compresses the current log file into a new file, then deletes the original
> file ... but the program is still logging to it.  Thus the space fills up,
> but there is no file to see the space in.  Restarting the program doing
> the logging causes the old file to disappear, and a new log file to be
> created.
>
> On a guess, Snort would be the first thing I'd look at.  However, MySQL
> can create a TON of data if logging is enabled, so you may want to look
> closely at it as well.
>
Thanks, Bill.  That's really helpful.  I suspected it was snort, but I 
wasn't sure.  I'll shut down one process at a time and see when df "returns 
to normal".  I am using newsyslog.conf which *should* HUP processes when 
logs are turned over, but maybe I missed something.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu