From owner-freebsd-questions  Sun Nov  4 20: 3: 5 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from chmls05.mediaone.net (chmls05.mediaone.net [24.147.1.143])
	by hub.freebsd.org (Postfix) with ESMTP id C632737B405
	for <freebsd-questions@FreeBSD.org>; Sun,  4 Nov 2001 20:03:01 -0800 (PST)
Received: from keyslapper.org (acadia.ne.mediaone.net [65.96.186.69])
	by chmls05.mediaone.net (8.11.1/8.11.1) with ESMTP id fA542uN15207;
	Sun, 4 Nov 2001 23:02:57 -0500 (EST)
Received: (from leblanc@localhost)
	by keyslapper.org (8.11.6/8.11.6) id fA543DA39915;
	Sun, 4 Nov 2001 23:03:13 -0500 (EST)
	(envelope-from leblanc)
Date: Sun, 4 Nov 2001 23:03:13 -0500
From: Louis LeBlanc <leblanc+freebsd@keyslapper.org>
To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org
Subject: Re: httpd log files big
Message-ID: <20011104230313.C35500@keyslapper.org>
Reply-To: freebsd-questions@FreeBSD.org
Mail-Followup-To: freebsd-questions@FreeBSD.ORG
References: <200111040049.AA3553034428@florida-wireless.com> <Pine.LNX.4.33.0111040547290.948-100000@www.digitalspy.co.uk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="V88s5gaDVPzZ0KCq"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0111040547290.948-100000@www.digitalspy.co.uk>
User-Agent: Mutt/1.3.23i
X-bright-idea: Lets abolish HTML mail!
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


--V88s5gaDVPzZ0KCq
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 11/04/01 05:53 AM, Mark Hughes sat at the `puter and typed:
> On Sun, 4 Nov 2001, brain_damaged wrote:
>=20
> > Hello
> > I noticed that my / was full.
> > I could not understand why and noticed that under
> > /var/log that my httpd-access and httpd-error logs are over 8 megs big.
> > I am running apache 3.1.9
> > I am not sure were to setup a log rotation for it so that they don't ge=
t that big.
> > how do I do that or can I ?
>=20
> Sounds like nimda's doing. I came to my log files the other day on my
> machine attached to my DSL line, and they'd shot up to 25MB - which is
> ridiculous given that the web server itself has probably done less that
> 100 hits since June.
>=20
> It is possible to set up a log rotation script - i'm not sure of the
> "correct" way of doing it, but what I'd do would be to run a nightly or
> weekly cron job which called a script that:
>
> 1) copied and gzip'd the old log files to an archive location
> 2) touch'd new logfiles
> 3) restarted apache to get it using the new log files.
>=20
> Shouldn't be too challenging to write a script to do that.

Ryan Thompson mentions  logrotate in his response.  IIRC, logrotate is
one  of the  Linux tools  used to  rotate logs.  But he's  close, it's
actually rotatelogs  (8). The manpage doesn't  go into a whole  lot of
detail as to  how to use it,  and the horse book  doesn't even mention
it.

OTOH, you  could just use newsyslog,  but you can't do  a blanket roll
with just one signal. This is what I did in /etc/newslog.conf:

/var/log/https_engine_log     644  5  *     $W6D0 Z
/var/log/https_request_log    644  5  *     $W6D0 Z
/var/log/httpd-access_log     644  5  *     $W6D0 Z
/var/log/httpd-error_log      644  5  *     $W6D0 Z /var/run/httpd.pid

Of course you need to set the  paths and filenames to your system, but
this will hopefully  roll the logs and send the  SIGHUP to Apache when
the last one  is rolled (Saturday night at  Midnight). IIRC, newsyslog
is run on  cron by default, so  you don't even have to  reboot. Not as
nice as rotatelogs, but easier to set  up until you can figure out the
rotatelogs details.

> > And does anyone have a perl script or program to read the httpd
> > logs and pull out failed access or something to auto notify of
> > virus attacks or such ?
>=20
> I think there is a couple of apache perl modules called Apache::CodeRed
> and Apache::Nimda - available from http://acadia.ne.mediaone.net/Nimda/

These      modules     will      be     moving      permanently     to
http://www.keyslapper.org/Nimda/,  but I  will  be redirecting  acadia
shortly. I'd suggest  going with the Nimda module at  least (I suspect
Nimda has  done more to cause  the extinction of CodeRed  than all the
other control methods together).

These modules,  and some of the  config suggestions on that  page will
also help eliminate those messages from your logs if you like.

Cheers
Lou
--=20
Louis LeBlanc               leblanc@keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     =D4=BF=D4=AC

Murphy's Law of Research:
  Enough research will tend to support your theory.

--V88s5gaDVPzZ0KCq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE75g+BeAPWYrNkRWIRAsShAJ4n9bWmWR6gmHOiZaqPS/sxYuwNPQCdFq+s
3yYI1tYYEOej4WT553qC9c0=
=cFEj
-----END PGP SIGNATURE-----

--V88s5gaDVPzZ0KCq--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message