Date: Sat, 11 Sep 2004 00:55:51 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: Sergey Zaharchenko <doublef@tele-kom.ru>, FreeBSD-questions <questions@freebsd.org> Subject: Re: Phantom /var full messages Message-ID: <2147483647.1094864151@[192.168.2.102]> In-Reply-To: <20040911043010.GA1010@shark.localdomain> References: <B2230B47178C9E38431A941A@utd49554.utdallas.edu> <200409101523.i8AFNCr07551@clunix.cl.msu.edu> <20040910154300.GA4588@shark.localdomain> <E60E4345EC27A92CEF6E941D@utd49554.utdallas.edu> <16705.60023.810017.265417@jerusalem.litteratus.org> <20040911043010.GA1010@shark.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Saturday, September 11, 2004 8:30 AM +0400 Sergey Zaharchenko
<doublef@tele-kom.ru> wrote:
>
> Actually, if the files in question are opened and unlinked, then they
> have no `name' in the filesystem and find(1) won't help you.
>
Interesting. I did a find /var -inum {inode_num} and got the name of the
file. (session.log, which *should* be hupped when it's turned over.) I've
posted on the snort list to see if anyone is aware of this or has seen the
problem before. In the meantime, I've commented out the log in the conf
file so the server won't gag when I'm not paying attention to it.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2147483647.1094864151>