How to stop the deluge of entries in /var/log files?
joe at actionline.com
joe at actionline.com
Fri Feb 5 11:56:53 MST 2010
Joe last wrote:
>> Thanks Craig.
>> Re the permissions item, I neglected to say that the reported files and
>> directories are already set with the correct permissions, but those
>> claims of "wrong permissions" keep on coming anyway.
Then Craig wrote:
> that defies my understanding of things so I struggle to believe it.
>
> what is output of say...
> ls -l /var/log/lpr
In this case, the system is generating that particular log with all
-rw------- permissions, so why cron is generating an "error"
report to /var/log/lpr saying permissions should be 640 is strange.
And Craig also wrote:
> You might want to see what is actually in those files...
> (/etc/cron.hourly/*, etc.) and potentially edit or remove them as
> useful. I suspect the ones that are making you crazy are in the
> cron.hourly
>
> Clearly the 'promisc_check.sh' is in the hourly and that would seem to
> be a safety check from your distro and it is reporting to syslog which
> actually makes a lot of sense and I would probably just leave it alone
> (i.e. keep running the 'promiscuity check' every hour
Thanks. That helped me discover what was going on.
It just didn't make sense to me that something in /etc/cron.hourly
would be generating an action every minute.
And I still don't understand why something in /etc/cron.hourly is running
every minute rather than once every hour?
Do most distros have something like this running every minute and adding
tens of thousands of entries to both syslog and messages plus in several
other places? Isn't that a sledgehammer swatting a gnat? Why is it
necessary to flood the logs with an entry for every minute that an action
like this runs?
And if the purpose of the routing is just to send an email alert to the
system administrator of any malicious attack, why not just have the
routing do that and not report every minute, "I've checked again ... I've
checked again ... I've checked again ... 1,440 times every day???
Why not have it just do the checking and only tell us if it found
something worth reporting? Or at the very least, just post its
minute-by-minute report in a separate place (and only one place)?
More information about the PLUG-discuss
mailing list