[Logwatch] logwatch runs for 12-26 hours, exim logs to blame
gb-mail at sbgnet.com
Wed May 28 08:57:21 MST 2008
On 5/28/2008 11:11 AM, Mike Tremaine wrote:
> Gordon wrote:
>> Any recommended rtfm for making logwatch run faster would be appreciated. I
>> have hacked a few changes but run time of 20 hours is not unusual. My exim
>> logs are 250MB per day... /var/log/maillog is about the same size
>> (spamassassin detail)
>> Am I correct in thinking ignore.conf only stops reporting of, not
>> calculation of these errors?
>> I suspect these summations may be to blame.
>> --- Bad Hosts ---
>> Rejected HELO/EHLO: syntactically invalid argument(s) 1228 times
>> SMTP Syntax errors 278 times
>> SMTP Timeout errors 3812 times
>> Sudden disconnect while expecting remote input 99128 times
>> --- SMTP Connection Issues
>> SMTP connection lost when connection reset by peer : 77804 Time(s)
>> SMTP connection closed by QUIT: 115118 Time(s)
>> SMTP connection lost while reading message data: 960 Time(s)
>> SMTP connection lost (non-specific): 58568 Time(s)
>> SMTP connection TCP/IP connection count (warning): 363319 Time(s)
>> --- Failed Reverse Lookups
>> --- 104124 Time(s)
>> I am using an RPM for centos5 logwatch-7.3-5
> Yikes.... How often to you rotate your logfiles? I do not have anything
> that large anymore. [200MB files]
> Ignore.conf will not speed it up it is the last chance filter to remove
> things from the report. In looking at the Exim service it looks like it
> handles everything internally so there is no prefilter for date/time or
> service which means that whole file gets pumped through it.
> My suggestions would be see if you can increase the logrotation to make
> the file sizes smaller. Also update logwatch to 7.3.6 release check the
> exim service there was a fix in 1.21 to increase speed. It might be
> worth playing with the default.conf/services/exim.conf and see if a date
> and service filter can prefilter out a lot of stuff so that it goes faster?
> What kind of processor and memory are we talking about here?
logs rotate daily at 1:00AM
The log files are huge. Yesterday I had
158919 SPAM messages rejected
226413 unknown recipient
75584 delivered messages!
A grand total of 1,577,777 lines
It is currently running. I think suppressing the exim-archive would be
a huge help...
[root at mta-x exim]# ll /var/cache/logwatch/logwatch.2J1A9ehy/
-rw------- 1 root root 35499 May 28 01:04 clam-update
-rw------- 1 root root 35499 May 28 01:04 clam-update-archive
-rw------- 1 root root 15031 May 28 01:04 cron
-rw------- 1 root root 45509 May 28 01:04 cron-archive
-rw------- 1 root root 205959779 May 28 01:04 exim
-rw------- 1 root root 205959779 May 28 01:04 exim-archive
-rw------- 1 root root 6753845 May 28 01:04 messages
-rw------- 1 root root 21473896 May 28 01:04 messages-archive
-rw------- 1 root root 3802 May 28 01:04 secure
-rw------- 1 root root 3854 May 28 01:04 secure-archive
-rw------- 1 root root 0 May 28 01:04 yum
I wonder if I should reverse this...
[root at mta-x ~]# cat /usr/share/logwatch/default.conf/logfiles/exim.conf
# Which logfile group...
#LogFile = exim/main.log
Archive = exim/main.log.1
LogFile = exim/main.log.1
#Archive = exim/main.log.1
The server is a quad core xeon 1.86Ghz, 8 GB RAM
(logwatch seems to eat 1 core... sar load is 25% higher while it runs)
More information about the Logwatch