[syslog-ng]syslog-ng log file rotation based on size

Richard E. Perlotto II rperlott@cisco.com
Sat, 1 Feb 2003 12:05:20 -0800 

The same functionality exist in logrotate, and is a standard part of
many Linux OS's.


Richard

> -----Original Message-----
> From: syslog-ng-admin@lists.balabit.hu 
> [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Nate Campi
> Sent: Saturday, February 01, 2003 10:33 AM
> To: syslog-ng@lists.balabit.hu
> Subject: [syslog-ng]syslog-ng log file rotation based on size
> 
> 
> Many of us run syslog-ng on systems with a 2 gig file size 
> limit. An attacker can flood our loghost until logs reach 2 
> gigs in size, at which point syslog-ng cannot write to the 
> file any further.
> 
> If you run cfengine on your loghost, you can make it rotate 
> logs based on size:
> 
> --------------------------------------------------------
> disable:
>         loghost::
>                 /var/log/messages
>                         size=>2000mb
>                         rotate=100
>                         define=syslog_rotated
>                 /var/log/syslog
>                         size=>2000mb
>                         rotate=100
>                         define=syslog_rotated
> 
> processes:
>         loghost.syslog_rotated::
>                 "syslog-ng" signal=hup
> 
> shellcommands:
>         loghost.syslog_rotated::
>                 "/bin/echo a log file in /var/log was rotated 
> to avoid the 2 gig file limit on loghost|/usr/bin/mail 
> -s'cfengine did an emergency syslog log rotation on loghost' 
> oncall@example"
> 
> --------------------------------------------------------
> 
> I'm sure there's other out of band mechanisms that could be 
> used (a shell script whipped up in a few minutes could do it, 
> run from cron), but it's important to think about it. Even if 
> you have huge disks, if your OS/filesystem/file utilities 
> can't handle large files you're in trouble.
> 
> Perhaps down the road syslog-ng could include a feature to 
> help with this. It doesn't eliminate the threat of attackers 
> flooding your logs, but at least it could make every effort 
> to keep from losing logs (until your filesystem fills up or 
> the host's CPU/memory resources get overloaded under the 
> flood, I know this isn't perfect).
> 
> Even if the host OS can handle huge files, from an 
> administration standpoint it's sometimes best to keep them 
> smaller and deal with them in smaller chunks anyways; 
> especially when you need to rotate logs off a machine to save 
> local disk space.
> 
> Any hope of such a feature Bazsi? Perhaps in syslog-ng 2?
> -- 
> Nate Campi   http://www.campin.net 
> 
> The porcupine with the sharpest quills gets stuck on a tree 
> more often.
> 
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu 
> https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
> 
> Frequently asked questions at 
> http://www.campin.net/syslog-ng/faq.html
> 
> 
>