[Logwatch] logwatch runs for 12-26 hours, exim logs to blame

Gordon gb-mail at sbgnet.com
Wed May 28 08:57:21 MST 2008



On 5/28/2008 11:11 AM, Mike Tremaine wrote:
> Gordon wrote:
>> Any recommended rtfm for making logwatch run faster would be appreciated.  I
>> have hacked a few changes but run time of 20 hours is not unusual.  My exim
>> logs are 250MB per day... /var/log/maillog is about the same size
>> (spamassassin detail)
>>
>> Am I correct in thinking ignore.conf only stops reporting of, not
>> calculation of these errors?
>>
>> I suspect these summations may be to blame.
>>
>>   --- Bad Hosts ---
>>     Rejected HELO/EHLO: syntactically invalid argument(s) 1228 times
>>     SMTP Syntax errors 278 times
>>     SMTP Timeout errors 3812 times
>>     Sudden disconnect while expecting remote input 99128 times
>>
>>   --- SMTP Connection Issues
>>     SMTP connection lost when connection reset by peer : 77804 Time(s)
>>     SMTP connection closed by QUIT: 115118 Time(s)
>>     SMTP connection lost while reading message data: 960 Time(s)
>>     SMTP connection lost (non-specific): 58568 Time(s)
>>     SMTP connection TCP/IP connection count (warning): 363319 Time(s)
>>
>>   --- Failed Reverse Lookups
>>   --- 104124  Time(s)
>>
>> I am using an RPM for centos5 logwatch-7.3-5
> 
> 
> Yikes.... How often to you rotate your logfiles? I do not have anything 
> that large anymore. [200MB files]
> 
> Ignore.conf will not speed it up it is the last chance filter to remove 
> things from the report. In looking at the Exim service it looks like it 
> handles everything internally so there is no prefilter for date/time or 
> service which means that whole file gets pumped through it.
> 
> My suggestions would be see if you can increase the logrotation to make 
> the file sizes smaller. Also update logwatch to 7.3.6 release check the 
> exim service there was a fix in 1.21 to increase speed. It might be 
> worth playing with the default.conf/services/exim.conf and see if a date 
> and service filter can prefilter out a lot of stuff so that it goes faster?
> 
> What kind of processor and memory are we talking about here?
> 
> -Mike

logs rotate daily at 1:00AM

The log files are huge.  Yesterday I had
158919 SPAM messages rejected
226413 unknown recipient
75584 delivered messages!
A grand total of 1,577,777 lines

It is currently running.  I think suppressing the exim-archive would be 
a huge help...

[root at mta-x exim]# ll /var/cache/logwatch/logwatch.2J1A9ehy/
total 430476
-rw------- 1 root root     35499 May 28 01:04 clam-update
-rw------- 1 root root     35499 May 28 01:04 clam-update-archive
-rw------- 1 root root     15031 May 28 01:04 cron
-rw------- 1 root root     45509 May 28 01:04 cron-archive
-rw------- 1 root root 205959779 May 28 01:04 exim
-rw------- 1 root root 205959779 May 28 01:04 exim-archive
-rw------- 1 root root   6753845 May 28 01:04 messages
-rw------- 1 root root  21473896 May 28 01:04 messages-archive
-rw------- 1 root root      3802 May 28 01:04 secure
-rw------- 1 root root      3854 May 28 01:04 secure-archive
-rw------- 1 root root         0 May 28 01:04 yum

I wonder if I should reverse this...
[root at mta-x ~]# cat /usr/share/logwatch/default.conf/logfiles/exim.conf
# Which logfile group...
#LogFile = exim/main.log
Archive = exim/main.log.1

to

LogFile = exim/main.log.1
#Archive = exim/main.log.1


The server is a quad core xeon 1.86Ghz, 8 GB RAM
(logwatch seems to eat 1 core... sar load is 25% higher while it runs)








More information about the Logwatch mailing list