Date: Fri, 6 Feb 1998 06:12:43 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: jonny@coppe.ufrj.br (Joao Carlos Mendes Luis) Cc: tlambert@primenet.com, current@FreeBSD.ORG Subject: Re: PATCH: new option for newsyslog Message-ID: <199802060612.XAA04400@usr06.primenet.com> In-Reply-To: <199802060227.AAA12892@gaia.coppe.ufrj.br> from "Joao Carlos Mendes Luis" at Feb 6, 98 00:27:52 am
next in thread | previous in thread | raw e-mail | index | archive | help
> #define quoting(Terry Lambert) > // When debugging problems that show up in the logs, it's useful to > // be able to zero the logs. > > Yes, but does rotating ALL the logs really helps ? > > For example, I don't want to rotate the maillog if the problem is not > concerned to mail system. That's what I thought, until I found out that the reason smtpd was getting read timeouts was because the ppp link went down, and not as a result of a bug in smtpd. It's also what I thought when sendmail wasn't processing its outbound mail, until I examined the kernel and firewall logs and saw that an inbound TCP packet reject was either dumping the system or dumping the process before it could finish processing. > Maybe you could define another file, but then you could also define > another set of ranges for this newsyslog file, so small that almost > always the log would rotate. If it does not rotate, then it's probably > not worth doing so. When a consultant dials into site he's supporting, he would rather fix the problem than diddle lock files. Remember that the data is not lost, only forcibly rotated so that you can examine only the data during the period of time when the costomer is demonstrating the problem to you. > For example, a file with more than 1K should be rotated. A file > with less than 1K is not big enough to make trouble reading it. The kernel log is frequently 1k, and it contains things like "WARNING: / was not cleanly unmounted" (ie: your system silently rebooted) or "kernel: panic: pahe fault in kernel mode". What's worth reading is relative. What is definitely *not* worth reading is all of the log information that occurred before the attempt at demonstration. The only way to mark that point in time easily is to zero the log files. I could just as easily do: cd /var/log zap=`find . -name "*[^0-9]"` for i in $zap do cat /dev/null > $i done But then, of course, I'd lose information which may not be pertinent to the current problem, but which I wouldn't want to lose. > If it's not enough, just make newsyslog support rotate size or > rotate time values as zero. Ugh. Then I have to know what's in the existing newsyslog.conf so I can make a modified version of it. 8-(. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802060612.XAA04400>