Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 27 Oct 2001 11:29:48 -0700
From:      Terry Lambert <tlambert2@mindspring.com>
To:        Mike Barcroft <mike@FreeBSD.ORG>
Cc:        void <float@firedrake.org>, Kris Kennaway <kris@obsecurity.org>, hackers@FreeBSD.ORG
Subject:   Re: syslogd and kqueue
Message-ID:  <3BDAFD1C.B7BF7ED4@mindspring.com>
References:  <20011026233957.A9925@parhelion.firedrake.org> <20011026200436.A61058@xor.obsecurity.org> <20011027043342.A18231@parhelion.firedrake.org> <20011027001704.B2586@coffee.q9media.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Mike Barcroft wrote:

> > I'm suggesting that the "kill" could be left out if syslogd got the same
> > smarts as "tail -F".
> 
> I recommend using newsyslog(8) for rotating log files.

I recommend _NOT_ using newsyslog for rotating files.

The newsyslog program bit us on the ass numerous times at
Whistle, where if it failed to be called, it would just
build up a big log file, fill up /var, and you'd end up
screwed even after it restarted, since it would leave /var
full.

The problem is that newsyslog doesn't "rewrite history".

As an example, say you have a size limit on a log file of
10k, and a number of files to keep of 6, so you never
expect it to take up more than 60k.

Now newsyslog fails, and you end up with the top level
log file being 1M, with 5 10k log files after it:

	1M, 10K, 10K, 10K, 10K, 10K

You start newsyslog up again (usually with a reboot, as
the failing program was "cron" or "at"), and it moves
the 1M file to the first log file, deletes the oldest,
and then creates a new log file.  You now have:

	0K, 1M, 10K, 10K, 10K, 10K

when what you wanted was really:

	0K, 10K, 10K, 10K, 10K, 10K

With the 5 10K files being the last 50K of the 1M file.

Now you can only rotate it out with another 10K of data
writtent to an already full /var (other log files are now
free to consume the 10K you freed up), and then it will
take 5 log rollovers before your /var is down to its
proper disk utilization again, and your system is back
to normal... and these can never happen.

Because of this, /var is still full, so anything that
needs /tmp is still broken, so you end up getting a call
for support about whatever it was that wasn't working.

Very, very ugly.

Until newsyslog is fixed to not be able to stage a
denial of service attack against you, I really, really
recommend against its use.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BDAFD1C.B7BF7ED4>