[syslog-ng]syslog-ng log file rotation based on size
Nate Campi
nate@campin.net
Sat, 1 Feb 2003 10:33:03 -0800
Many of us run syslog-ng on systems with a 2 gig file size limit. An
attacker can flood our loghost until logs reach 2 gigs in size, at which
point syslog-ng cannot write to the file any further.
If you run cfengine on your loghost, you can make it rotate logs based
on size:
--------------------------------------------------------
disable:
loghost::
/var/log/messages
size=>2000mb
rotate=100
define=syslog_rotated
/var/log/syslog
size=>2000mb
rotate=100
define=syslog_rotated
processes:
loghost.syslog_rotated::
"syslog-ng" signal=hup
shellcommands:
loghost.syslog_rotated::
"/bin/echo a log file in /var/log was rotated to avoid the 2 gig file limit on loghost|/usr/bin/mail -s'cfengine did an emergency syslog log rotation on loghost' oncall@example"
--------------------------------------------------------
I'm sure there's other out of band mechanisms that could be used (a
shell script whipped up in a few minutes could do it, run from cron),
but it's important to think about it. Even if you have huge disks, if
your OS/filesystem/file utilities can't handle large files you're in
trouble.
Perhaps down the road syslog-ng could include a feature to help with
this. It doesn't eliminate the threat of attackers flooding your logs,
but at least it could make every effort to keep from losing logs (until
your filesystem fills up or the host's CPU/memory resources get
overloaded under the flood, I know this isn't perfect).
Even if the host OS can handle huge files, from an administration
standpoint it's sometimes best to keep them smaller and deal with them
in smaller chunks anyways; especially when you need to rotate logs off a
machine to save local disk space.
Any hope of such a feature Bazsi? Perhaps in syslog-ng 2?
--
Nate Campi http://www.campin.net
The porcupine with the sharpest quills gets stuck on a tree more often.