accounting logs

Hi tony,

can you post a 'du -s /var/log/*' and 'df -h /var/log' ?
thx

Hi, I am also seeing this problem. I installed Astaro on a P3 700Mhz with a 10gb disk. I've been running for about 2 months and my /var/log is now about 85% plus, each evening I get an email telling me it is short of space and is going to delete log files. Here is a how the disk looks just now:

midge:/root # df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/hda7               490023    199199    265522  43% /
/dev/hda1               490023      4702    460019   1% /emergency
/dev/hda3               940816    768412    124612  86% /var/log
/dev/hda5               972436     18008    905032   2% /var/chroot-smtp
/dev/hda6                93328      2999     85510   3% /var/recovery
/dev/hda8              3328480    774744   2384652  25% /var/chroot-squid
/dev/hda9              3391776    311572   2907908  10% /var/chroot-report
none                     15360         0     15360   0% /var/shm
midge:/root #


midge:/root # df -h /var/log
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda3             919M  751M  121M  86% /var/log
midge:/root #

du -s /var/log/* is 1089 lines long, most of the files are only 4 or 8 bytes, but here are the bigger ones:-

114576  /var/log/kernel
12268   /var/log/kernel-20011218.gz
11428   /var/log/kernel-20011219.gz
10620   /var/log/kernel-20011220.gz
9088    /var/log/kernel-20011221.gz
6908    /var/log/kernel-20011222.gz
7348    /var/log/kernel-20011223.gz
7236    /var/log/kernel-20011224.gz
7120    /var/log/kernel-20011225.gz
7288    /var/log/kernel-20011226.gz
7396    /var/log/kernel-20011227.gz
8048    /var/log/kernel-20011228.gz
8420    /var/log/kernel-20011229.gz
8200    /var/log/kernel-20011230.gz
8096    /var/log/kernel-20011231.gz
8488    /var/log/kernel-20020101.gz
8528    /var/log/kernel-20020102.gz
8812    /var/log/kernel-20020103.gz
9012    /var/log/kernel-20020104.gz
7888    /var/log/kernel-20020105.gz
7848    /var/log/kernel-20020106.gz
9216    /var/log/kernel-20020107.gz
9048    /var/log/kernel-20020108.gz
9396    /var/log/kernel-20020109.gz
9296    /var/log/kernel-20020110.gz
9496    /var/log/kernel-20020111.gz
8544    /var/log/kernel-20020112.gz
8468    /var/log/kernel-20020113.gz
10324   /var/log/kernel-20020114.gz
10284   /var/log/kernel-20020115.gz
13064   /var/log/kernel-20020116.1011355321.gz
2640    /var/log/kernel-20020117.gz
10352   /var/log/kernel-20020118.gz
8884    /var/log/kernel-20020119.gz
8868    /var/log/kernel-20020120.gz
11696   /var/log/kernel-20020121.gz
11624   /var/log/kernel-20020122.gz
10512   /var/log/kernel-20020123.gz
11188   /var/log/kernel-20020124.gz
9856    /var/log/kernel-20020125.gz
7516    /var/log/kernel-20020126.gz
7108    /var/log/kernel-20020127.gz
9372    /var/log/kernel-20020128.gz
9988    /var/log/kernel-20020129.gz
10460   /var/log/kernel-20020130.gz
10768   /var/log/kernel-20020131.gz
10156   /var/log/kernel-20020201.gz
8100    /var/log/kernel-20020202.gz
8100    /var/log/kernel-20020203.gz
10112   /var/log/kernel-20020204.gz
11248   /var/log/kernel-20020205.gz
10152   /var/log/kernel-20020206.gz
11312   /var/log/kernel-20020207.gz
10884   /var/log/kernel-20020208.gz
8712    /var/log/kernel-20020209.gz
8600    /var/log/kernel-20020210.gz
10444   /var/log/kernel-20020211.gz
10328   /var/log/kernel-20020212.gz
9616    /var/log/kernel-20020213.gz
9344    /var/log/kernel-20020214.gz
9428    /var/log/kernel-20020215.gz
7592    /var/log/kernel-20020216.gz
0       /var/log/kernelpipe
8       /var/log/lastlog
4       /var/log/lost+found
40      /var/log/mail


Hope this helps.

thanks
Mike

Hmm, just had a look in one of those large log files, lots of stuff like:-

Jan  7 00:01:43 mungo kernel: UDP Drop: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50
:04:65:e2:7e:08:00 SRC=148.88.98.24 DST=255.255.255.255 LEN=160 TOS=0x00 PREC=0x
00 TTL=128 ID=29197 PROTO=UDP SPT=1026 DPT=1900 LEN=140
Jan  7 00:01:43 mungo kernel: UDP Drop: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50
:04:65:e2:7e:08:00 SRC=148.88.98.24 DST=255.255.255.255 LEN=161 TOS=0x00 PREC=0x
00 TTL=128 ID=29453 PROTO=UDP SPT=1026 DPT=1900 LEN=141
Jan  7 00:01:43 mungo kernel: UDP Drop: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01
:02:b5:a6:c3:08:00 SRC=148.88.244.93 DST=148.88.255.255 LEN=229 TOS=0x00 PREC=0x
00 TTL=128 ID=36932 PROTO=UDP SPT=138 DPT=138 LEN=209
Jan  7 00:01:44 mungo kernel: UDP Drop: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01
:02:b8:36:af:08:00 SRC=148.88.155.214 DST=148.88.255.255 LEN=78 TOS=0x00 PREC=0x
00 TTL=128 ID=46154 PROTO=UDP SPT=137 DPT=137 LEN=58
Jan  7 00:01:44 mungo kernel: UDP Drop: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01
:02:9d:4e:50:08:00 SRC=148.88.17.227 DST=148.88.255.255 LEN=229 TOS=0x00 PREC=0x
00 TTL=128 ID=21462 PROTO=UDP SPT=138 DPT=138 LEN=209
Jan  7 00:01:44 mungo kernel: UDP Drop: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01
:02  b:31:42:08:00 SRC=148.88.80.201 DST=148.88.255.255 LEN=229 TOS=0x00 PREC=0x
00 TTL=128 ID=3399 PROTO=UDP SPT=138 DPT=138 LEN=209


I'm dropping the broadcasts but they are logged to the kernel log. Can I avoid this? Or do I actually want to avoid it?

thanks
Mike

Thought I ought to add one of the emails I get:-

There are too many old logfiles in /var/log - the firewall will delete 
them (/var/log/*20011218*, date style: YYYYMMDD) automatically if more 
harddisk space is required. 

If you need these old logfiles please retrieve them with scp and delete 
them with rm, otherwise ignore this notification. 

Astaro Security Linux 2.020

Hi Dirky,

thx for your postings (btw. please upgrade to 2.022) - but there is no info about to much (big) log files as tony wrote.
Whats with 'du -s /var/log/account/*' and 'du -s /var/log/accounting/*'?

is it ok to delete the files in /var/log/accounting ?

Thanks, I have now upgraded. Ok here is info:-

midge:/root # du -s /var/log/account/*
0       /var/log/account/net-acct
20      /var/log/account/net-acct-dump
68      /var/log/account/net-acct-dump.o
0       /var/log/account/timestamp
midge:/root #
and
midge:/root # du -s /var/log/accounting/*
21484   /var/log/accounting/0112
41128   /var/log/accounting/0201
24960   /var/log/accounting/0202
4       /var/log/accounting/December_2001.monate
4       /var/log/accounting/February_2002.monate
4       /var/log/accounting/January_2002.monate
8       /var/log/accounting/net-acct.020218_0145.gz
16      /var/log/accounting/net-acct.020218_0200.gz
8       /var/log/accounting/net-acct.020218_0215.gz
16      /var/log/accounting/net-acct.020218_0230.gz
12      /var/log/accounting/net-acct.020218_0245.gz
16      /var/log/accounting/net-acct.020218_0300.gz
8       /var/log/accounting/net-acct.020218_0315.gz
16      /var/log/accounting/net-acct.020218_0330.gz
8       /var/log/accounting/net-acct.020218_0345.gz
16      /var/log/accounting/net-acct.020218_0400.gz
8       /var/log/accounting/net-acct.020218_0415.gz
16      /var/log/accounting/net-acct.020218_0430.gz
8       /var/log/accounting/net-acct.020218_0445.gz
16      /var/log/accounting/net-acct.020218_0500.gz
8       /var/log/accounting/net-acct.020218_0515.gz
20      /var/log/accounting/net-acct.020218_0530.gz
12      /var/log/accounting/net-acct.020218_0545.gz
20      /var/log/accounting/net-acct.020218_0600.gz
16      /var/log/accounting/net-acct.020218_0630.gz
8       /var/log/accounting/net-acct.020218_0645.gz
16      /var/log/accounting/net-acct.020218_0700.gz
8       /var/log/accounting/net-acct.020218_0715.gz
16      /var/log/accounting/net-acct.020218_0730.gz
12      /var/log/accounting/net-acct.020218_0745.gz
20      /var/log/accounting/net-acct.020218_0800.gz
8       /var/log/accounting/net-acct.020218_0815.gz
20      /var/log/accounting/net-acct.020218_0830.gz
12      /var/log/accounting/net-acct.020218_0845.gz
20      /var/log/accounting/net-acct.020218_0900.gz
12      /var/log/accounting/net-acct.020218_0915.gz
20      /var/log/accounting/net-acct.020218_0930.gz
12      /var/log/accounting/net-acct.020218_0945.gz
24      /var/log/accounting/net-acct.020218_1000.gz
16      /var/log/accounting/net-acct.020218_1015.gz
24      /var/log/accounting/net-acct.020218_1030.gz
12      /var/log/accounting/net-acct.020218_1045.gz
24      /var/log/accounting/net-acct.020218_1100.gz
12      /var/log/accounting/net-acct.020218_1115.gz
24      /var/log/accounting/net-acct.020218_1130.gz
12      /var/log/accounting/net-acct.020218_1145.gz
20      /var/log/accounting/net-acct.020218_1200.gz
20      /var/log/accounting/net-acct.020218_1215.gz
12      /var/log/accounting/net-acct.020218_1230.gz
24      /var/log/accounting/net-acct.020218_1245.gz
12      /var/log/accounting/net-acct.020218_1300.gz
24      /var/log/accounting/net-acct.020218_1315.gz
12      /var/log/accounting/net-acct.020218_1330.gz
24      /var/log/accounting/net-acct.020218_1345.gz
12      /var/log/accounting/net-acct.020218_1400.gz
24      /var/log/accounting/net-acct.020218_1415.gz
12      /var/log/accounting/net-acct.020218_1430.gz
24      /var/log/accounting/net-acct.020218_1445.gz
12      /var/log/accounting/net-acct.020218_1500.gz
24      /var/log/accounting/net-acct.020218_1515.gz
12      /var/log/accounting/net-acct.020218_1530.gz
24      /var/log/accounting/net-acct.020218_1545.gz
12      /var/log/accounting/net-acct.020218_1600.gz
24      /var/log/accounting/net-acct.020218_1615.gz
12      /var/log/accounting/net-acct.020218_1630.gz
20      /var/log/accounting/net-acct.020218_1645.gz
8       /var/log/accounting/net-acct.020218_1700.gz
24      /var/log/accounting/net-acct.020218_1715.gz
12      /var/log/accounting/net-acct.020218_1730.gz
24      /var/log/accounting/net-acct.020218_1745.gz
12      /var/log/accounting/net-acct.020218_1800.gz
24      /var/log/accounting/net-acct.020218_1815.gz
12      /var/log/accounting/net-acct.020218_1830.gz
20      /var/log/accounting/net-acct.020218_1845.gz
12      /var/log/accounting/net-acct.020218_1900.gz
20      /var/log/accounting/net-acct.020218_1915.gz
12      /var/log/accounting/net-acct.020218_1930.gz
24      /var/log/accounting/net-acct.020218_1945.gz
12      /var/log/accounting/net-acct.020218_2000.gz
20      /var/log/accounting/net-acct.020218_2015.gz
12      /var/log/accounting/net-acct.020218_2030.gz
20      /var/log/accounting/net-acct.020218_2045.gz
12      /var/log/accounting/net-acct.020218_2100.gz
16      /var/log/accounting/net-acct.020218_2115.gz
12      /var/log/accounting/net-acct.020218_2130.gz
20      /var/log/accounting/net-acct.020218_2145.gz
12      /var/log/accounting/net-acct.020218_2200.gz
20      /var/log/accounting/net-acct.020218_2215.gz
midge:/root #

Now I have upgraded I notice I get the "Too many log files messages every hour?"

Like
There are too many old logfiles in /var/log - the firewall will delete 
them (/var/log/*20011219*, date style: YYYYMMDD) automatically if more 
harddisk space is required. 

If you need these old logfiles please retrieve them with scp and delete 
them with rm, otherwise ignore this notification. 

Astaro Security Linux 2.022 


Am I slowly loosing my accounting information or is this sumarised in some other files?
I'd rather not loose the history as I would like one day soon to be able to view these files and calculate traffic based on per ip address.

thanks
Mike

Thanks, I have now upgraded. Ok here is info:-

midge:/root # du -s /var/log/account/*
0       /var/log/account/net-acct
20      /var/log/account/net-acct-dump
68      /var/log/account/net-acct-dump.o
0       /var/log/account/timestamp
midge:/root #
and
midge:/root # du -s /var/log/accounting/*
21484   /var/log/accounting/0112
41128   /var/log/accounting/0201
24960   /var/log/accounting/0202
4       /var/log/accounting/December_2001.monate
4       /var/log/accounting/February_2002.monate
4       /var/log/accounting/January_2002.monate
8       /var/log/accounting/net-acct.020218_0145.gz
16      /var/log/accounting/net-acct.020218_0200.gz
8       /var/log/accounting/net-acct.020218_0215.gz
16      /var/log/accounting/net-acct.020218_0230.gz
12      /var/log/accounting/net-acct.020218_0245.gz
16      /var/log/accounting/net-acct.020218_0300.gz
8       /var/log/accounting/net-acct.020218_0315.gz
16      /var/log/accounting/net-acct.020218_0330.gz
8       /var/log/accounting/net-acct.020218_0345.gz
16      /var/log/accounting/net-acct.020218_0400.gz
8       /var/log/accounting/net-acct.020218_0415.gz
16      /var/log/accounting/net-acct.020218_0430.gz
8       /var/log/accounting/net-acct.020218_0445.gz
16      /var/log/accounting/net-acct.020218_0500.gz
8       /var/log/accounting/net-acct.020218_0515.gz
20      /var/log/accounting/net-acct.020218_0530.gz
12      /var/log/accounting/net-acct.020218_0545.gz
20      /var/log/accounting/net-acct.020218_0600.gz
16      /var/log/accounting/net-acct.020218_0630.gz
8       /var/log/accounting/net-acct.020218_0645.gz
16      /var/log/accounting/net-acct.020218_0700.gz
8       /var/log/accounting/net-acct.020218_0715.gz
16      /var/log/accounting/net-acct.020218_0730.gz
12      /var/log/accounting/net-acct.020218_0745.gz
20      /var/log/accounting/net-acct.020218_0800.gz
8       /var/log/accounting/net-acct.020218_0815.gz
20      /var/log/accounting/net-acct.020218_0830.gz
12      /var/log/accounting/net-acct.020218_0845.gz
20      /var/log/accounting/net-acct.020218_0900.gz
12      /var/log/accounting/net-acct.020218_0915.gz
20      /var/log/accounting/net-acct.020218_0930.gz
12      /var/log/accounting/net-acct.020218_0945.gz
24      /var/log/accounting/net-acct.020218_1000.gz
16      /var/log/accounting/net-acct.020218_1015.gz
24      /var/log/accounting/net-acct.020218_1030.gz
12      /var/log/accounting/net-acct.020218_1045.gz
24      /var/log/accounting/net-acct.020218_1100.gz
12      /var/log/accounting/net-acct.020218_1115.gz
24      /var/log/accounting/net-acct.020218_1130.gz
12      /var/log/accounting/net-acct.020218_1145.gz
20      /var/log/accounting/net-acct.020218_1200.gz
20      /var/log/accounting/net-acct.020218_1215.gz
12      /var/log/accounting/net-acct.020218_1230.gz
24      /var/log/accounting/net-acct.020218_1245.gz
12      /var/log/accounting/net-acct.020218_1300.gz
24      /var/log/accounting/net-acct.020218_1315.gz
12      /var/log/accounting/net-acct.020218_1330.gz
24      /var/log/accounting/net-acct.020218_1345.gz
12      /var/log/accounting/net-acct.020218_1400.gz
24      /var/log/accounting/net-acct.020218_1415.gz
12      /var/log/accounting/net-acct.020218_1430.gz
24      /var/log/accounting/net-acct.020218_1445.gz
12      /var/log/accounting/net-acct.020218_1500.gz
24      /var/log/accounting/net-acct.020218_1515.gz
12      /var/log/accounting/net-acct.020218_1530.gz
24      /var/log/accounting/net-acct.020218_1545.gz
12      /var/log/accounting/net-acct.020218_1600.gz
24      /var/log/accounting/net-acct.020218_1615.gz
12      /var/log/accounting/net-acct.020218_1630.gz
20      /var/log/accounting/net-acct.020218_1645.gz
8       /var/log/accounting/net-acct.020218_1700.gz
24      /var/log/accounting/net-acct.020218_1715.gz
12      /var/log/accounting/net-acct.020218_1730.gz
24      /var/log/accounting/net-acct.020218_1745.gz
12      /var/log/accounting/net-acct.020218_1800.gz
24      /var/log/accounting/net-acct.020218_1815.gz
12      /var/log/accounting/net-acct.020218_1830.gz
20      /var/log/accounting/net-acct.020218_1845.gz
12      /var/log/accounting/net-acct.020218_1900.gz
20      /var/log/accounting/net-acct.020218_1915.gz
12      /var/log/accounting/net-acct.020218_1930.gz
24      /var/log/accounting/net-acct.020218_1945.gz
12      /var/log/accounting/net-acct.020218_2000.gz
20      /var/log/accounting/net-acct.020218_2015.gz
12      /var/log/accounting/net-acct.020218_2030.gz
20      /var/log/accounting/net-acct.020218_2045.gz
12      /var/log/accounting/net-acct.020218_2100.gz
16      /var/log/accounting/net-acct.020218_2115.gz
12      /var/log/accounting/net-acct.020218_2130.gz
20      /var/log/accounting/net-acct.020218_2145.gz
12      /var/log/accounting/net-acct.020218_2200.gz
20      /var/log/accounting/net-acct.020218_2215.gz
midge:/root #

Now I have upgraded I notice I get the "Too many log files messages every hour?"

Like
There are too many old logfiles in /var/log - the firewall will delete 
them (/var/log/*20011219*, date style: YYYYMMDD) automatically if more 
harddisk space is required. 

If you need these old logfiles please retrieve them with scp and delete 
them with rm, otherwise ignore this notification. 

Astaro Security Linux 2.022 


Am I slowly loosing my accounting information or is this sumarised in some other files?
I'd rather not loose the history as I would like one day soon to be able to view these files and calculate traffic based on per ip address.

thanks
Mike

Hi all,

thx for your reports.
logcleaner deletes only '/var/log/*200?*' files and no accounting files. You can delete them per hand, you will lose only the accounting data in the WebAdmin (ASL 2.X).

 is biggest directory i seen... 
We will think about to extend log-cleaner for accounting directories for one of the next Up2Dates...