From owner-freebsd-questions@FreeBSD.ORG  Sat Sep 11 05:55:52 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C6E5916A4CE
	for <questions@freebsd.org>; Sat, 11 Sep 2004 05:55:52 +0000 (GMT)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7956C43D41
	for <questions@freebsd.org>; Sat, 11 Sep 2004 05:55:52 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from [192.168.2.102] (adsl-68-93-63-83.dsl.rcsntx.swbell.net
	[68.93.63.83])
	by smtp1.utdallas.edu (Postfix) with ESMTP id E48A83891F8;
	Sat, 11 Sep 2004 00:55:51 -0500 (CDT)
Date: Sat, 11 Sep 2004 00:55:51 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: Sergey Zaharchenko <doublef@tele-kom.ru>,
	FreeBSD-questions <questions@freebsd.org>
Message-ID: <2147483647.1094864151@[192.168.2.102]>
In-Reply-To: <20040911043010.GA1010@shark.localdomain>
References: <B2230B47178C9E38431A941A@utd49554.utdallas.edu>
 	<200409101523.i8AFNCr07551@clunix.cl.msu.edu>
 	<20040910154300.GA4588@shark.localdomain>
 	<E60E4345EC27A92CEF6E941D@utd49554.utdallas.edu>
 	<16705.60023.810017.265417@jerusalem.litteratus.org>
 <20040911043010.GA1010@shark.localdomain>
X-Mailer: Mulberry/3.0.3 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: Phantom /var full messages
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Paul Schmehl <pauls@utdallas.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2004 05:55:52 -0000

--On Saturday, September 11, 2004 8:30 AM +0400 Sergey Zaharchenko 
<doublef@tele-kom.ru> wrote:
>
> Actually, if the files in question are opened and unlinked, then they
> have no `name' in the filesystem and find(1) won't help you.
>
Interesting.  I did a find /var -inum {inode_num} and got the name of the 
file.  (session.log, which *should* be hupped when it's turned over.)  I've 
posted on the snort list to see if anyone is aware of this or has seen the 
problem before.  In the meantime, I've commented out the log in the conf 
file so the server won't gag when I'm not paying attention to it.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu