NEVERMIND!

[Ian Smith]

On Mon, 26 May 2014 16:11:52 +0200, Dag-Erling Smørgrav wrote:
> > "Ronald F. Guilmette" <rfg at tristatelogic.com> writes:
>> I forgot that newsyslog(8) should limit the size of /var/log/messages, and
>> that as long as you limit the size of that to a reasnable value, and as
>> long as you have newsyslog(8) only keeping a finite & reasonable number
>> of "rotated out" copies, then /var won't fill up.

 > It can still happen, since newsyslog only runs once per hour.  If 
 > /var fills up between two newsyslog runs, there is no guarantee that 
 > the space freed up by deleting the oldest logs is sufficient to 
 > compress the newest log.  The only way to really handle this issue 
 > would be to fold newsyslog into syslog.

Mitigating that - in the case of single repeating messages at least - is 
that syslog accumulates these and reports totals at a certain interval.
At 5.5-stable (yes, I know) it was 10 minutes, just one example:

May 16 19:17:05 x inetd[5768]: pop3 from 92.247.169.210 exceeded counts/min (limit 4/min)
May 16 19:17:26 x last message repeated 30 times
May 16 19:19:37 x last message repeated 55 times
May 16 19:29:44 x last message repeated 450 times
May 16 19:39:44 x last message repeated 367 times
[.. every 10 minutes until ..]
May 16 22:09:42 x last message repeated 349 times
May 16 22:10:57 x last message repeated 54 times

Of course just to blow my case, tonight I find 967 lines in 82418 bytes 
from two hosts apparently in Mexico doing the same gig in parallel, for 
less than two minutes - over a very slow ADSL line.  syslog doesn't need 
the complication of attempts at such pattern matching.

Rather than merging the two, might syslog trigger adhoc rotations by 
newsyslog - of a particular log, not all - after learning how to measure 
'stress', perhaps by rates of delta filesize, diskspace consumption etc?

Then newsyslog would only need to learn how to be so invoked?

just a thought, Ian