From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 10 17:19:32 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E500F16A4CE
	for <questions@freebsd.org>; Fri, 10 Sep 2004 17:19:32 +0000 (GMT)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C65E243D49
	for <questions@freebsd.org>; Fri, 10 Sep 2004 17:19:32 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85])
	by smtp1.utdallas.edu (Postfix) with ESMTP id 30CD13891E1;
	Fri, 10 Sep 2004 12:19:32 -0500 (CDT)
Date: Fri, 10 Sep 2004 12:19:48 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: Sergey Zaharchenko <doublef@tele-kom.ru>,
	FreeBSD-questions <questions@freebsd.org>
Message-ID: <E60E4345EC27A92CEF6E941D@utd49554.utdallas.edu>
In-Reply-To: <20040910154300.GA4588@shark.localdomain>
References: <B2230B47178C9E38431A941A@utd49554.utdallas.edu>
 	<200409101523.i8AFNCr07551@clunix.cl.msu.edu>
 <20040910154300.GA4588@shark.localdomain>
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: Phantom /var full messages
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Paul Schmehl <pauls@utdallas.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2004 17:19:33 -0000

--On Friday, September 10, 2004 07:43:00 PM +0400 Sergey Zaharchenko 
<doublef@tele-kom.ru> wrote:
>
> Correct. du can only show the `named' space (the size of files which are
> not unlinked-but-open).
>
> One of the ways to find out what has the largest files open is
>
># fstat | grep /var | sort -r -n -k 8 | head
>
Apparently snort is the culprit.  When I killed snort (mysqld is still 
running), df began to report less and less space used until it agreed with 
du again.

Here's the results of the fstat command per your suggestion:

bash-2.05b# fstat | grep var | sort -r -n -k 8 | head
mysql    mysqld       189   56 /var     1036492 -rw-rw----  4294967276 rw
root     snort        341    6 /var     3491966 -rw-------  1260683393 rw

The second file is the only one in the top ten that belonged to snort.

How do you convert the filenames from numbers to names?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu