[Logwatch] logwatch runs for 12-26 hours, exim logs to blame

Mike Tremaine mgt at stellarcore.net
Wed May 28 08:11:35 MST 2008


Gordon wrote:
> Any recommended rtfm for making logwatch run faster would be appreciated.  I
> have hacked a few changes but run time of 20 hours is not unusual.  My exim
> logs are 250MB per day... /var/log/maillog is about the same size
> (spamassassin detail)
> 
> Am I correct in thinking ignore.conf only stops reporting of, not
> calculation of these errors?
> 
> I suspect these summations may be to blame.
> 
>   --- Bad Hosts ---
>     Rejected HELO/EHLO: syntactically invalid argument(s) 1228 times
>     SMTP Syntax errors 278 times
>     SMTP Timeout errors 3812 times
>     Sudden disconnect while expecting remote input 99128 times
> 
>   --- SMTP Connection Issues
>     SMTP connection lost when connection reset by peer : 77804 Time(s)
>     SMTP connection closed by QUIT: 115118 Time(s)
>     SMTP connection lost while reading message data: 960 Time(s)
>     SMTP connection lost (non-specific): 58568 Time(s)
>     SMTP connection TCP/IP connection count (warning): 363319 Time(s)
> 
>   --- Failed Reverse Lookups
>   --- 104124  Time(s)
> 
> I am using an RPM for centos5 logwatch-7.3-5


Yikes.... How often to you rotate your logfiles? I do not have anything 
that large anymore. [200MB files]

Ignore.conf will not speed it up it is the last chance filter to remove 
things from the report. In looking at the Exim service it looks like it 
handles everything internally so there is no prefilter for date/time or 
service which means that whole file gets pumped through it.

My suggestions would be see if you can increase the logrotation to make 
the file sizes smaller. Also update logwatch to 7.3.6 release check the 
exim service there was a fix in 1.21 to increase speed. It might be 
worth playing with the default.conf/services/exim.conf and see if a date 
and service filter can prefilter out a lot of stuff so that it goes faster?

What kind of processor and memory are we talking about here?

-Mike





More information about the Logwatch mailing list