From owner-freebsd-hackers Sat Oct 27 11:29: 0 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 91BE337B401; Sat, 27 Oct 2001 11:28:56 -0700 (PDT) Received: from dialup-209.247.143.45.dial1.sanjose1.level3.net ([209.247.143.45] helo=mindspring.com) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 15xYCV-0000JL-00; Sat, 27 Oct 2001 11:28:56 -0700 Message-ID: <3BDAFD1C.B7BF7ED4@mindspring.com> Date: Sat, 27 Oct 2001 11:29:48 -0700 From: Terry Lambert Reply-To: tlambert2@mindspring.com X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Barcroft Cc: void , Kris Kennaway , hackers@FreeBSD.ORG Subject: Re: syslogd and kqueue References: <20011026233957.A9925@parhelion.firedrake.org> <20011026200436.A61058@xor.obsecurity.org> <20011027043342.A18231@parhelion.firedrake.org> <20011027001704.B2586@coffee.q9media.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Mike Barcroft wrote: > > I'm suggesting that the "kill" could be left out if syslogd got the same > > smarts as "tail -F". > > I recommend using newsyslog(8) for rotating log files. I recommend _NOT_ using newsyslog for rotating files. The newsyslog program bit us on the ass numerous times at Whistle, where if it failed to be called, it would just build up a big log file, fill up /var, and you'd end up screwed even after it restarted, since it would leave /var full. The problem is that newsyslog doesn't "rewrite history". As an example, say you have a size limit on a log file of 10k, and a number of files to keep of 6, so you never expect it to take up more than 60k. Now newsyslog fails, and you end up with the top level log file being 1M, with 5 10k log files after it: 1M, 10K, 10K, 10K, 10K, 10K You start newsyslog up again (usually with a reboot, as the failing program was "cron" or "at"), and it moves the 1M file to the first log file, deletes the oldest, and then creates a new log file. You now have: 0K, 1M, 10K, 10K, 10K, 10K when what you wanted was really: 0K, 10K, 10K, 10K, 10K, 10K With the 5 10K files being the last 50K of the 1M file. Now you can only rotate it out with another 10K of data writtent to an already full /var (other log files are now free to consume the 10K you freed up), and then it will take 5 log rollovers before your /var is down to its proper disk utilization again, and your system is back to normal... and these can never happen. Because of this, /var is still full, so anything that needs /tmp is still broken, so you end up getting a call for support about whatever it was that wasn't working. Very, very ugly. Until newsyslog is fixed to not be able to stage a denial of service attack against you, I really, really recommend against its use. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message