Re: [squid-users] help interpreting logs

From: Joe Cooper <joe@dont-contact.us>
Date: Mon, 20 Aug 2001 13:13:34 -0500

John C. Gale wrote:

> OK, I need some help interpreting my log files. Squid stopped because my
> cache.log file was too big (thanks to a code red node filling it up with
> requests to worm.com).
>
> What I don't understand is WHY. I had tons of free inodes and tons
> of disk space (both in the squid-cache raid partition and on the
> log partition). The cache.log got to about 1.7Gb.

Sure it wasn't 2GB? Just a thought...

 
> How do I fix it? I don't want to fail next time I get a code red station
> going through it.
>
> Box particulars:
> 768Mb RAM, 700Mhz Athalon, Red Hat 6.2 (Kernel 2.2.14-5.0)
> running squid-2.3.STABLE4, five 18Gb u2w scsi disks

Upgrade your kernel to 2.2.16+, there are known issues with all 2.2
versions below that (two mild security bugs). There is a Red Hat RPM
update for 6.2 to version 2.2.17, I believe in the Red Hat updates
directory of any complete mirror of the Red Hat site.

 
> All ideas are appreciated (And I just noticed my shortage on file
> descriptors, I edited the header file log ago, but apparently I
> forgot to recompile the kernel).

Edit the file /etc/logrotate.d/squid, and change the 'weekly' line to
read 'daily'. Also change the 'rotate 5' line to read 'rotate 7'. This
will cause your system to rotate the logs once per day, rather than once
per week (keeping them nice and small even in the event of another
similar worm event). The rotate 7 bit will keep logs for one full week,
rather than 5 days. This last one isn't necessary, but seems a good
idea to me.

                                   --
                      Joe Cooper <joe@swelltech.com>
                  Affordable Web Caching Proxy Appliances
                         http://www.swelltech.com
Received on Mon Aug 20 2001 - 12:07:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:51 MST