Date: Tue, 15 Oct 2002 10:33:21 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Sizing /var (was Re: monitor ALL connections to ALL ports) Message-ID: <20021015093321.GA64319@happy-idiot-talk.infracaninophi> In-Reply-To: <20021015023521.GB19297@mrv.tusur.ru> References: <20021014205437.GA21823@blossom.cjclark.org> <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net> <20021014224225.GB61025@happy-idiot-talk.infracaninophi> <20021015023521.GB19297@mrv.tusur.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 15, 2002 at 10:35:21AM +0800, Roman V. Mashak wrote:
> Could you describe some methods of counting /var-partition size
> for saving there:
> 1) 'maillog' data
> 2) 'ipfw' logs.
That's a very hard question to answer. It depends on so many
different variables --- how much traffic you're seeing, how much you
choose to log, how long you keep log files around and even how
compressible the resulting log files are.
Now, there's no point getting too precise with all this. On machines
I set up for personal use I tend to create a /var partition of 128Mb,
and on my home machine at the moment /var is running at 35% percent
full. That's fine --- plenty of room for growth or unexpected peaks
in traffic (remember the nimda worm?). I wouldn't be too unhappy if
usage had stabilized at anywhere up to about 75% full.
For most uses a 128Mb /var partition should be fine. The exceptions
are:
i) You may need plenty of space in /var/crash if you're going to
be debugging system crashes. Each crashdump will require
slightly more space than the total RAM in your machine, and you
usually need to have several sets to work with.
Nb. /var/crash is the traditional place to store crash dumps,
but it's easy enough to configure the system to use a different
partition, which is what I do.
ii) You run a particularly busy server --- say your mail or web
server gets 100,000 hits in a day and each hit results in about
200 bytes of log message. That's approximately 20Mb a day.
Without compression, that's enough to fill up a 128Mb partition
inside a week. Assuming you get 80% compression with gzip (not
unreasonable for log files) that will give you space for
roughly a month's worth of log files.
iii) You log an unreasonably large amount of stuff. Suppose the
average size of web page (or mail message) on your server is
15kb. You choose to log every http / smtp packet your server
deals with --- with a MTU of 1500 bytes that's 10 packets just
for sending out the web page or message. So we're looking at
approximately a 10 fold increase in the amount of logging data
to deal with over (ii), or enough to overflow a 128Mb partition
in less than a day without compression.
Now, those numbers are approximate, but not unrealistic. I've taken
no account of all the other stuff that lives in /var, but that tends
to be reasonably constant in size. The best way to proceed is to make
this sort of rough calculation to get a ball-park idea of what the
right size should be, add some extra for luck and then try it out.
Keep a record of how much of the partition is in use each day and
examine the trends to see whether it's going to stabilize at around a
reasonable percentage. If not, then you can fiddle with the settings
in /etc/newsyslog.conf or switch to bzip2 compression or (if the worst
comes to the worst) mount a larger partition on /var/log and next time
you have the machine scheduled for major maintenance rebuild it with a
bigger /var.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021015093321.GA64319>