| From: | Lamar Owen <lamar(dot)owen(at)wgcr(dot)org> |
|---|---|
| To: | "Dominic J(dot) Eidson" <sauron(at)the-infinite(dot)org> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, Dave Cramer <Dave(at)micro-automation(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Log files, how to rotate properly |
| Date: | 2001-06-14 14:30:33 |
| Message-ID: | 01061410303300.00942@lowen.wgcr.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wednesday 13 June 2001 17:45, Dominic J. Eidson wrote:
> On Wed, 13 Jun 2001, Lamar Owen wrote:
> > I have yet to see a 'lost' syslog message here, in over three years.
> I've actually seen lost and partial/mangled messages come out of syslog -
> during a 7Mbit/second DDoS that was being logged due to ipchains ... -l.
Well, I guess my slow 1.544Mbps T1 isn't fast enough to cause my PIII-600 to
croak under the load of 24x7 service. And I've seen the DDoS attacks as well
-- which is one reason the packet filter logs from the cisco 2514 go to a
dedicated host (that cannot be reached from the outside, thanks to NAT) that
is also running snort.
> Not that this happens _too_ often - we're talking 58k lines of log in a
> very short amount of time.
> (I agree with Lamar - it's just a "I've seen it happen" :)
Well, I've also seen PostgreSQL 'lose' 15k tuples during a vacuum before
(6.3.2 -- 7.0 apparently fixed the problem). Judicious placement of the
logging hosts can prevent this lossage -- IOW, don't put all your eggs in one
basket.
Which is why my snort machine handles the heavy traffic logs -- it has a 27GB
drive in it and does nothing else. And systems capable of doing that are not
expensive -- I saw a P5 150 system on computersurplusoutlet.com for $39 US.
I've seen alot of oddball things -- including a tape deck running by itself
when not plugged in (in a 1000V/m RF field) -- but I've yet to see a dropped
syslog message -- not that it can't or won't happen, but that it is unlikely.
The suggestion to use DJB's multilog (by another poster) is a relatively good
one -- but I am very wary of DJ's license -- when he's gone,the user of his
software will be just plain stuck. I'd like to see the potential problems
with syslog fixed, rather than another solution entirely. This is, after
all, open source we're talking about, where a body can jump in to a project
and help out any time one wishes :-).
But make sure you block the UDP port syslog uses from coming in from the
outside.....
--
Lamar Owen
WGCR Internet Radio
1 Peter 4:11
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alex Pilosov | 2001-06-14 14:31:06 | Re: Log files, how to rotate properly |
| Previous Message | bugi | 2001-06-14 14:22:26 | test |