Subject: Re: newsyslog
To: None <dlagno@mail.nnov.ru>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 11/27/2003 01:18:32
[ On Saturday, November 22, 2003 at 19:19:01 (+0300), dlagno@mail.nnov.ru wrote: ]
> Subject: newsyslog
>
> I just wonder why in default installation accounting logs /var/acct/* are
> not handled by newsyslog but by some ad hoc script?
The process accounting file is not an ordinary log file, and the summary
files that can be generated when processing it are not log files either.
They must all be handled in very specific ways, including truncation of
the kernel accounting file to the point where it has been processed.
Here's how I do it:
first part in /etc/daily:
if checkyesno summarize_accounting && [ -f /var/account/acct ]; then
echo ""
echo "Summarizing live accounting records:"
#
# load any existing summary files, merge live records into the
# summary truncate the live accounting file (hopefully to the
# point it was read), and write the accumulate summaries out
# again. (/var/account/savacct and /var/account/usracct)
#
# XXX it would be nice if 'sa' had an option that would allow
# it to copy all the raw records it reads to another file so
# that they could also be preserved in case they need to be
# re-processed (or used for forensics).
#
sa -slq
fi
The second part is in /etc/monthly:
if checkyesno process_accounting; then
echo ""
echo "Process accounting by user:"
#
# note we assume the daily script has summarized for today...
#
sa -mdr /dev/null
if checkyesno process_command_accounting; then
echo ""
echo "Process accounting by command:"
sa -abclr /dev/null
fi
echo ""
MONTHDATE=$(date +%Y%m%d)
mv /var/account/savacct /var/account/savacct.$MONTHDATE
mv /var/account/usracct /var/account/usracct.$MONTHDATE
gzip -v /var/account/savacct.$MONTHDATE /var/account/usracct.$MONTHDATE
fi
I don't automatically delete any summary archives.
(theoretically the wtmp file should be handled similarly but I'm waiting
to sort out some other issues with it first)
(on a related matter the one really poorly configurable part of NetBSD
as compared to FreeBSD is our /etc/{daily,weekly,monthly} vs. their
/etc/periodic)
> May be name newsyslog is not quite good? logrotate found in many linux
> distributions seem to be more appropriate?
Newsyslog has its problems but IMNSHO it's a heck of a lot better than
logrotate! (and several linux users have said so much to me w.r.t. my
own distribution of newsyslog too ;-)
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>