Hello, Is it possible to limit the size of each logfile when using the destinatin shown under? destination dst { file("/syslog/logs/$R_YEAR/$R_MONTH/$R_DAY/$HOST" ); }; I.e. destination dst { file("/syslog/logs/$R_YEAR/$R_MONTH/$R_DAY/$HOST" maxsize(5g) ); }; That way no single host could log more than 5g, and if /syslog/logs is a single filesystem, the risk of loosing logs from other hosts is minimized if a hoss logging too much or trying to ddos syslog-ng-loghost. Of course syslog-ng should log internally if the limit is reached and logging for host is stopped. -- Jan Thomas Moldung
On 5/24/07, janth@moldung.no <janth@moldung.no> wrote:
Is it possible to limit the size of each logfile when using the destinatin shown under?
If your OS has a ulimit restricting the maximum size of any one file (look under 'man setrlimit' for RLIMIT_FSIZE), you could use this kernel feature to restrict the largest file that can be created. This wouldn't allow setting different limits for each destination. Alternately, you could use a unique userid for the logs from each untrustworthy log source, and use the native OS quota enforcement to limit total disk space, but this is even more OS-dependent than are ulimits. I prefer to have a separate monitor routine (e.g. HobbitMon), a daemon or cron job which watches filesystem free space and sends an alert if any one filesystem runs low. Kevin
i agree with Kevin, setting limits usually means you will start loosing logs when that limit is reached, depending on the importance of these logs, it might be worth setting up alerting to disk space shortage, and buy more disks if the importance of the logs outweighs the cost of having them. On Thu, 2007-05-24 at 23:19 -0500, K K wrote:
On 5/24/07, janth@moldung.no <janth@moldung.no> wrote:
Is it possible to limit the size of each logfile when using the destinatin shown under?
If your OS has a ulimit restricting the maximum size of any one file (look under 'man setrlimit' for RLIMIT_FSIZE), you could use this kernel feature to restrict the largest file that can be created. This wouldn't allow setting different limits for each destination.
Alternately, you could use a unique userid for the logs from each untrustworthy log source, and use the native OS quota enforcement to limit total disk space, but this is even more OS-dependent than are ulimits.
I prefer to have a separate monitor routine (e.g. HobbitMon), a daemon or cron job which watches filesystem free space and sends an alert if any one filesystem runs low.
Kevin _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Hiren Patel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail and its contents are subject to the Telkom SA Limited e-mail legal notice available at http://www.telkom.co.za/TelkomEMailLegalNotice.PDF ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (3)
-
Hiren Patel
-
janth@moldung.no
-
K K