“Trimming Monster Logs and Advanced Cracker
Detection.“
“Welcome back, everyone, to the SysAdmin’s Corner. It is time
once again to delve deep into the soul of your Linux system, to
grasp its subtle mysteries, and to maybe, just maybe, catch a
cracker before he does damage.”
“Log files can get pretty large. An active server is a talkative
one, and talk from your Linux system means log entries. Lots of log
entries. Over the years, I’ve seen log files grow unchecked until
the system crashes for lack of disk space. Sure, now that we all
have 40GB drives on our PCs, it’s not as bad, but a mess is a mess
and needs cleaning from time to time. I’ve made jokes about the old
days where, without the logrotate command, I had to trim my own log
files and walk 14 miles to school (uphill, both directions). Well,
the logfile trimming part is true, and somewhere along the way, it
occurred to me that not everybody has logrotate on their
system.”
“In case you don’t know, logrotate is a nifty little utility
written by Erik Troan that takes care of all this ugly business of
archiving logs and recreating them. If you are running Red Hat, you
almost certainly have logrotate running. In fact, you should see an
entry for it in your /etc/cron.daily directory. This is a simple
script that calls logrotate with the default configuration, at
/etc/logrotate.conf. Another giveaway is the presence of files in
your /var/log directory with .1, .2, .3 and .4 extensions. Before I
get into the gory details of log rotation, I should probably tell
you that the times for execution of your cron.daily, cron.weekly
and cron.some_time files can be found in /etc/crontab. This is just
a text file, and you can view it with cat /etc/crontab.”