From owner-freebsd-questions  Tue Oct 15  2:33:32 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D7F9E37B401
	for <freebsd-questions@FreeBSD.ORG>; Tue, 15 Oct 2002 02:33:29 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B9AAE43EA9
	for <freebsd-questions@FreeBSD.ORG>; Tue, 15 Oct 2002 02:33:28 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id g9F9XQKg064806
	for <freebsd-questions@FreeBSD.ORG>; Tue, 15 Oct 2002 10:33:26 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)
	by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id g9F9XLqE064805
	for freebsd-questions@FreeBSD.ORG; Tue, 15 Oct 2002 10:33:21 +0100 (BST)
Date: Tue, 15 Oct 2002 10:33:21 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: freebsd-questions@FreeBSD.ORG
Subject: Sizing /var (was Re: monitor ALL connections to ALL ports)
Message-ID: <20021015093321.GA64319@happy-idiot-talk.infracaninophi>
Mail-Followup-To: Matthew Seaman <matthew@FreeBSD.ORG>,
	freebsd-questions@FreeBSD.ORG
References: <20021014205437.GA21823@blossom.cjclark.org> <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net> <20021014224225.GB61025@happy-idiot-talk.infracaninophi> <20021015023521.GB19297@mrv.tusur.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021015023521.GB19297@mrv.tusur.ru>
User-Agent: Mutt/1.5.1i
X-Spam-Status: No, hits=-14.1 required=5.0
	tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02,
	      USER_AGENT,USER_AGENT_MUTT
	version=2.41
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tue, Oct 15, 2002 at 10:35:21AM +0800, Roman V. Mashak wrote:

> 	Could you describe some methods of counting /var-partition size
> for saving there:
> 1) 'maillog' data
> 2) 'ipfw' logs.

That's a very hard question to answer.  It depends on so many
different variables --- how much traffic you're seeing, how much you
choose to log, how long you keep log files around and even how
compressible the resulting log files are.

Now, there's no point getting too precise with all this.  On machines
I set up for personal use I tend to create a /var partition of 128Mb,
and on my home machine at the moment /var is running at 35% percent
full.  That's fine --- plenty of room for growth or unexpected peaks
in traffic (remember the nimda worm?).  I wouldn't be too unhappy if
usage had stabilized at anywhere up to about 75% full.

For most uses a 128Mb /var partition should be fine.  The exceptions
are:

    i) You may need plenty of space in /var/crash if you're going to
       be debugging system crashes.  Each crashdump will require
       slightly more space than the total RAM in your machine, and you
       usually need to have several sets to work with.

       Nb. /var/crash is the traditional place to store crash dumps,
       but it's easy enough to configure the system to use a different
       partition, which is what I do.

   ii) You run a particularly busy server --- say your mail or web
       server gets 100,000 hits in a day and each hit results in about
       200 bytes of log message.  That's approximately 20Mb a day.
       Without compression, that's enough to fill up a 128Mb partition
       inside a week.  Assuming you get 80% compression with gzip (not
       unreasonable for log files) that will give you space for
       roughly a month's worth of log files.

  iii) You log an unreasonably large amount of stuff.  Suppose the
       average size of web page (or mail message) on your server is
       15kb.  You choose to log every http / smtp packet your server
       deals with --- with a MTU of 1500 bytes that's 10 packets just
       for sending out the web page or message.  So we're looking at
       approximately a 10 fold increase in the amount of logging data
       to deal with over (ii), or enough to overflow a 128Mb partition
       in less than a day without compression.

Now, those numbers are approximate, but not unrealistic.  I've taken
no account of all the other stuff that lives in /var, but that tends
to be reasonably constant in size.  The best way to proceed is to make
this sort of rough calculation to get a ball-park idea of what the
right size should be, add some extra for luck and then try it out.
Keep a record of how much of the partition is in use each day and
examine the trends to see whether it's going to stabilize at around a
reasonable percentage.  If not, then you can fiddle with the settings
in /etc/newsyslog.conf or switch to bzip2 compression or (if the worst
comes to the worst) mount a larger partition on /var/log and next time
you have the machine scheduled for major maintenance rebuild it with a
bigger /var.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message