Date: Tue, 15 Oct 2002 10:33:21 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Sizing /var (was Re: monitor ALL connections to ALL ports) Message-ID: <20021015093321.GA64319@happy-idiot-talk.infracaninophi> In-Reply-To: <20021015023521.GB19297@mrv.tusur.ru> References: <20021014205437.GA21823@blossom.cjclark.org> <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net> <20021014224225.GB61025@happy-idiot-talk.infracaninophi> <20021015023521.GB19297@mrv.tusur.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 15, 2002 at 10:35:21AM +0800, Roman V. Mashak wrote: > Could you describe some methods of counting /var-partition size > for saving there: > 1) 'maillog' data > 2) 'ipfw' logs. That's a very hard question to answer. It depends on so many different variables --- how much traffic you're seeing, how much you choose to log, how long you keep log files around and even how compressible the resulting log files are. Now, there's no point getting too precise with all this. On machines I set up for personal use I tend to create a /var partition of 128Mb, and on my home machine at the moment /var is running at 35% percent full. That's fine --- plenty of room for growth or unexpected peaks in traffic (remember the nimda worm?). I wouldn't be too unhappy if usage had stabilized at anywhere up to about 75% full. For most uses a 128Mb /var partition should be fine. The exceptions are: i) You may need plenty of space in /var/crash if you're going to be debugging system crashes. Each crashdump will require slightly more space than the total RAM in your machine, and you usually need to have several sets to work with. Nb. /var/crash is the traditional place to store crash dumps, but it's easy enough to configure the system to use a different partition, which is what I do. ii) You run a particularly busy server --- say your mail or web server gets 100,000 hits in a day and each hit results in about 200 bytes of log message. That's approximately 20Mb a day. Without compression, that's enough to fill up a 128Mb partition inside a week. Assuming you get 80% compression with gzip (not unreasonable for log files) that will give you space for roughly a month's worth of log files. iii) You log an unreasonably large amount of stuff. Suppose the average size of web page (or mail message) on your server is 15kb. You choose to log every http / smtp packet your server deals with --- with a MTU of 1500 bytes that's 10 packets just for sending out the web page or message. So we're looking at approximately a 10 fold increase in the amount of logging data to deal with over (ii), or enough to overflow a 128Mb partition in less than a day without compression. Now, those numbers are approximate, but not unrealistic. I've taken no account of all the other stuff that lives in /var, but that tends to be reasonably constant in size. The best way to proceed is to make this sort of rough calculation to get a ball-park idea of what the right size should be, add some extra for luck and then try it out. Keep a record of how much of the partition is in use each day and examine the trends to see whether it's going to stabilize at around a reasonable percentage. If not, then you can fiddle with the settings in /etc/newsyslog.conf or switch to bzip2 compression or (if the worst comes to the worst) mount a larger partition on /var/log and next time you have the machine scheduled for major maintenance rebuild it with a bigger /var. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021015093321.GA64319>