[Logwatch] logwatch runs for 12-26 hours, exim logs to blame

MrC lists-logwatch at cappella.us
Wed May 28 09:23:49 MST 2008


Gordon wrote:
> 
> On 5/28/2008 11:11 AM, Mike Tremaine wrote:
>> Gordon wrote:
>>> Any recommended rtfm for making logwatch run faster would be appreciated.  I
>>> have hacked a few changes but run time of 20 hours is not unusual.  My exim
>>> logs are 250MB per day... /var/log/maillog is about the same size
>>> (spamassassin detail)
>>>
...
> 
> It is currently running.  I think suppressing the exim-archive would be 
> a huge help...
> 
> [root at mta-x exim]# ll /var/cache/logwatch/logwatch.2J1A9ehy/
> total 430476
> -rw------- 1 root root     35499 May 28 01:04 clam-update
> -rw------- 1 root root     35499 May 28 01:04 clam-update-archive
> -rw------- 1 root root     15031 May 28 01:04 cron
> -rw------- 1 root root     45509 May 28 01:04 cron-archive
> -rw------- 1 root root 205959779 May 28 01:04 exim
> -rw------- 1 root root 205959779 May 28 01:04 exim-archive
> -rw------- 1 root root   6753845 May 28 01:04 messages
> -rw------- 1 root root  21473896 May 28 01:04 messages-archive
> -rw------- 1 root root      3802 May 28 01:04 secure
> -rw------- 1 root root      3854 May 28 01:04 secure-archive
> -rw------- 1 root root         0 May 28 01:04 yum
> 

The copying of the log file and one or more of its archives to a 
temporary file (eg. in /var/cache/...) is a fundamental design flaw in 
logwatch.  There is simply no reason to do this; while it was acceptable 
perhaps 10 years ago when logwatch started, it is terribly inefficient 
with today's service demands.  The disturbance caused to busy or heavily 
used systems, especially those with slower disks, can be substantial.

This has been discussed several times.  See:

http://article.gmane.org/gmane.comp.log.logwatch.devel/1331/match=copy
http://article.gmane.org/gmane.comp.log.logwatch.devel/1334/match=copy
http://article.gmane.org/gmane.comp.log.logwatch.devel/1333/match=copy

If you don't need to scan archives, you will save substantial time by 
disabling Archives.

You can disable the exim filter, and instead, run any pre-filters and 
service filter itself manually (outside of logwatch) to prevent the 
large file copy.

MrC


> I wonder if I should reverse this...
> [root at mta-x ~]# cat /usr/share/logwatch/default.conf/logfiles/exim.conf
> # Which logfile group...
> #LogFile = exim/main.log
> Archive = exim/main.log.1
> 
> to
> 
> LogFile = exim/main.log.1
> #Archive = exim/main.log.1
> 
> 
> The server is a quad core xeon 1.86Ghz, 8 GB RAM
> (logwatch seems to eat 1 core... sar load is 25% higher while it runs)
> 
>


More information about the Logwatch mailing list