Friday, 20 January 2006

Syslog: Good for info, good for DOS attacks

So after getting some odd complaints from the mail server this morning about "insufficient space", I had to take a closer look at Siona's var partition which was appearing to fluctuate by ~600MB per day. A quick du -sh * pointed to /var/log being the culprit.

So on first inspection, the mysql-bin logs were not being compressed. A gzip on the old logs there gave a couple hundred megs back. Not a world of difference, but a lot.

Next up, it turns out that syslog.0 and debug.0 were over 300MB each and today's syslog/debug were already over 10MB (having been just rotated). So I take a quick look and I see the usual chatter from various services... But it turns out that "the usual chatter" from slapd was 99.96% of the log. Other then enabling it for debugging, I've never found the stuff getting logged to be especially useful to have around so I've disabled that. It was recording a half dozen lines every time PAM or NSS wanted user info (e.g. perpetually).

In summary, the Squid cache (256MB) didn't make the top 3 disk usage problems under var. It was Syslog that was doing a DOS attack.

Popular Posts