Re: [fwAnalog] fwanalog.all.log too big

From: Balázs Bárány (balazs~AT~tud.at)
Date: Wed Oct 22 2003 - 20:02:31 CEST



Hello,

> THen fwanalog runs after the logrotate. If I 'tail' the end of the
> fwanalog.all.log *after* my daily run of fwanalog, will I then keep the
> continuity of the data?

Analog doesn't save its state in a separate file or database. It always operates on the logfiles you tell it to. So if you trim logs after two weeks, you will only have statistics for two weeks in later runs.

> because they're not in fwanalog.all.log.new and they're also past the
> inputfiles_mtime="2" log files.

The algorithm is the following:
1. the logfiles that match the filename patterns in the config file and are newer than inputfiles_mtime are grepped for matching lines and converted into fwanalog.current.log.
2. The last line of fwanalog.all.log is searched in fwanalog.current.log and everything after it is appended to fwanalog.all.log.

By changing inputfiles_mtime, you only optimize the first part of the processing which doesn't take as long as the Analog processing does. So it won't help very much.

Perhaps if you have such problems with the logfile size, you could take out the obvious worm attacks (SQL Slammer, MS Blaster etc.) and concentrate just on the "interesting" blocked packets.

Regards

-- 
_________________________________________________________________________
Balázs Bárány       balazs~AT~tud.at        http://tud.at       ICQ 10747763

A good engineer will make considerable effort to avoid additional effort.


This archive was generated by hypermail 2.1.5 : Wed Oct 22 2003 - 21:42:02 CEST