The same functionality exist in logrotate, and is a standard part of many Linux OS's. Richard
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Nate Campi Sent: Saturday, February 01, 2003 10:33 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng]syslog-ng log file rotation based on size
Many of us run syslog-ng on systems with a 2 gig file size limit. An attacker can flood our loghost until logs reach 2 gigs in size, at which point syslog-ng cannot write to the file any further.
If you run cfengine on your loghost, you can make it rotate logs based on size:
-------------------------------------------------------- disable: loghost:: /var/log/messages size=>2000mb rotate=100 define=syslog_rotated /var/log/syslog size=>2000mb rotate=100 define=syslog_rotated
processes: loghost.syslog_rotated:: "syslog-ng" signal=hup
shellcommands: loghost.syslog_rotated:: "/bin/echo a log file in /var/log was rotated to avoid the 2 gig file limit on loghost|/usr/bin/mail -s'cfengine did an emergency syslog log rotation on loghost' oncall@example"
--------------------------------------------------------
I'm sure there's other out of band mechanisms that could be used (a shell script whipped up in a few minutes could do it, run from cron), but it's important to think about it. Even if you have huge disks, if your OS/filesystem/file utilities can't handle large files you're in trouble.
Perhaps down the road syslog-ng could include a feature to help with this. It doesn't eliminate the threat of attackers flooding your logs, but at least it could make every effort to keep from losing logs (until your filesystem fills up or the host's CPU/memory resources get overloaded under the flood, I know this isn't perfect).
Even if the host OS can handle huge files, from an administration standpoint it's sometimes best to keep them smaller and deal with them in smaller chunks anyways; especially when you need to rotate logs off a machine to save local disk space.
Any hope of such a feature Bazsi? Perhaps in syslog-ng 2? -- Nate Campi http://www.campin.net
The porcupine with the sharpest quills gets stuck on a tree more often.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html