EFW Support

So I have a new problem now.  My /var/log is full.  After taking all the default for the install, it looks like it was only created to be about 300MB.  This is despite the fact that I Have a 360GB hard drive in the system.  As it turns out, and not very surprisingly, this partition is full:

Device            Mounted on    Size    Used    Free    Percentage
/dev/hda1    /            942M    388M    507M    44%
/dev/hda6    /var            336465M 240M    319133M 1%
/dev/hda3    /var/efw    101M    5M            91M      6%
/dev/hda5    /var/log    302M    294M    0M            100%

I would like to be able to keep more that just 300MB of logs.  Any way to fix this without a reinstall?  It looks like /var is 330GB while the installer made /var/log a tiny 300MB.

Thanks,
Dan

I can add weight to this, after 1 week my /var/log is 98% full. Even if rotation is working ok that is cutting it way too fine.


Cary

same prob here

Hi all,
First of all sorry for my poor english...

This is my first post here... so....

I've got the same problem here, the same partition design.
-------------------
--------------------------

It's a VM (endian) in Vmware working like a real environment, i mean i've got endian with 2 NICs  (one bridged and one NAT), and 4 VM configured on the NAT network...

Every thing works fine, my smtp proxy with my internal server, SIP comunications, HTTP proxyes, etc...
Yesterday the Squid didn't work... my log folder is 100%
What did i do?
So, make a copy of all log folder on other folder.
Attatch a new hard drive with 20GB.
Boot again the system, make the partition table, make the filesystem and then attach in fstab.
Reboot, restore the copy of the original log folder and... VIOLÁ!!!

Every service, NAT, Proxy works fine...
The only problem rigth now (Very Big problem) is that I can't acces webadmin page.

can't look any more now, but tomorrow will look again... all

My startup.log is:
------------------------------------------------
Setting hostname
Loading /usr/share/kbd/keymaps/i386/qwerty/us.map.gz
Clearing old files
Setting the clocksource to PIT
Setting the clock
syslog-ng is stopped
Starting syslog-ng:                                        [  OK  ]
Starting ulogd:                                            [  OK  ]
Setting locale
Setting consolefonts
Initializing Power Management
Setting kernel settings
Setting up loopback
Loading MASQ helper modules
Destroying virtual interfaces... grep: /proc/net/vlan/config: No such file or directory
                                                           [  OK  ]
Stopping bonding devices                                   [  OK  ]
* Updating network card configuration
* Number of NICs found: 2
> Device:   eth0 (00:0c:29:6c:46:19)
  Businfo:  00:10.0
  Model:    Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 10)
  Driver:   pcnet32 1.33-NAPI
> Device:   eth1 (00:0c:29:6c:46:23)
  Businfo:  00:11.0
  Model:    Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] (rev 10)
  Driver:   pcnet32 1.33-NAPI
* Setting up network interfaces
Start creating virtual interfaces...
Ended creating virtual interfaces...                       [  OK  ]
Starting the CAPI 2.0 daemon:                              [FAILED]
Bringing network up
Starting monit:                                            [  OK  ]
Starting QoS
2009-10-11 11:55:31,157 - restartqos.py[1890] - ERROR - Migration has to be fixed!!!
2009-10-11 11:55:31,158 - restartqos.py[1890] - INFO - Loading configuration
2009-10-11 11:55:31,420 - restartqos.py[1890] - ERROR - RETURNCODE [iptables -t mangle -D POSTROUTING -j QOS 2> /dev/null] 1
/etc/rc.d/start/39firewall: line 3: loadconf: command not found
Setting up  firewall rules
Starting uplinksdaemon at boot time:                       [  OK  ]
Starting collectd:                                         [  OK  ]
dnsmasq is stopped
Starting dnsmasq:                                          [  OK  ]
Starting emi:                                              [  OK  ]
Setting up ip accounting
2009-10-11 11:56:08,670 - createtemplates.py[3121] - INFO - Creating message templates for service "dansguardian"
2009-10-11 11:56:10,302 - createtemplates.py[3121] - INFO - Creating message templates for service "postfix"
2009-10-11 11:56:10,506 - createtemplates.py[3121] - INFO - Creating message templates for service "amavisd-new"
2009-10-11 11:56:11,022 - createtemplates.py[3121] - INFO - Creating message templates for service "havp"
2009-10-11 11:56:14,326 - createtemplates.py[3121] - INFO - Creating message templates for service "logsurfer"
2009-10-11 11:56:16,627 - createtemplates.py[3121] - INFO - Creating message templates for service "p3scan"
2009-10-11 11:56:16,721 - createtemplates.py[3121] - INFO - Creating message templates for service "squid"
2009-10-11 11:56:18,259 - createtemplates.py[3121] - INFO - Creating message templates for service "backup"
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appear to be stopped already!
ipsec_setup: doing cleanup anyway...
2009-10-11 11:56:34,784 - restartsmtpscan.py[3465] - INFO - commtouch is not installed
clamd (pid 3533 3530) is running...
amavisd is stopped
amavisd is stopped
Starting Mail Virus Scanner (amavisd):                     [  OK  ]
master is stopped
Starting postfix: + /usr/sbin/postalias /etc/aliases
+ /usr/sbin/postmap btree:/etc/postfix/client_rules
+ /usr/sbin/postmap btree:/etc/postfix/recipient_bcc
+ /usr/sbin/postmap btree:/etc/postfix/recipient_rules
+ /usr/sbin/postmap /etc/postfix/relay_domains
+ /usr/sbin/postmap /etc/postfix/sasl_passwd
+ /usr/sbin/postmap btree:/etc/postfix/sender_bcc
+ /usr/sbin/postmap btree:/etc/postfix/sender_rules
+ /usr/sbin/postmap /etc/postfix/transport
                                                           [  OK  ]
Starting mail statistics grapher: mailgraph                [  OK  ]
Starting Snort (if enabled)
2009-10-11 11:58:00,571 - restartsquid.py[3958] - ERROR - Could not load config file '/var/efw/proxy/policyrules'!
Traceback (most recent call last):
  File "/usr/local/bin/restartsquid.py", line 702, in readPolicyRules
    rules = CSVFile(conf, obj).load()
  File "/usr/lib/python2.4/site-packages/endian/core/csvfile.py", line 104, in load
  File "/usr/lib/python2.4/site-packages/endian/core/csvfile.py", line 49, in toclass
CSVFileException: <unprintable instance object>
/usr/lib/python2.4/site-packages/Cheetah/Compiler.py:1578: UserWarning: You supplied an empty string for the source!
dnsmasq (pid 2836) is running...
Starting squid: ...                                        [  OK  ]
clamd (pid 3818) is running...
havp is stopped
'Row has to few fields compared with cLass meta information'
Installing crontab
Starting fcron:                                            [ OK ]

-----------------------

Hope this can help any one and someone could help me...

Best Regards...

Sorry.... right now my squid didn't run... and showme this:

-----------------------
ERROR

--------------------------------------------------------------------------------


The requested URL could not be retrieved
While trying to retrieve the URL: http://www.google.es/



The following error was encountered:

Unable to forward this request at this time.

Sorry, you are not currently allowed to request:
http://www.google.es/
from this cache until you have authenticated yourself.

This request could not be forwarded to the origin server or to any
parent caches. The most likely cause for this error is that:
The cache administrator does not allow this cache to make direct connections to origin servers, and
All configured parent caches are currently unreachable.


Your cache administrator is ***@***.***.**
------------------

Seems as though there should be a way to simply expand the log partition....it's not like I'm short on space.  I also think it would be nice to be able to modify the partition layout during the setup of Endian as this would have resolved the problem before it even started.  Is it possible to use something like GParted and change the partition tables without screwing with the Endian install??

I'm completaly agree with you...

I think whe need to have the decision on how to partitioning...

I can't find nothing that can help me with my webadmin interface problem, so.... reeinstall...


Best Regards.

Maybe we can simply use symbolic links to move some log dirs to another disk?

ln -s etc etc

While I do work with Linux I'm far from an expert in it.  I do understand how symbolic links work but don't have any idea how to create them.  What is it that your command does?

I'm not a linux expert too.

But on other system I used to bypass the size problems. Supose you want to have the dir /var/log/proxy on other drive:

md /var/otherlog
mv /var/log/proxy /var/otherlog/proxy
ln -s /var/otherlog/proxy /var/log/proxy

Now the dir /var/log/proxy is simply a link to /var/otherlog/proxy, that can be on any other location.

Interesting...I learned something new today.  I just did it with the whole logs directory so we will see.  It appears to have worked as all the logs are now in a different location and there is a link to them in /var/log but I don't know for sure that everything is good.  I will post back after I know that things are as they should be.

Don't forget the messages file, is a pretty big one. So far I haven't any issues yet with that "dirty bugfix"

Sorry guys this is flawed in it's present state!
* the md command is "mkdir" in Linux


Cary

Same guy how can

mkdir -p /home/log
mv/var/log /varlog_keep (backup log)
ln -s /home/log /var/log

<<<  mv: cannot move `/var/log' to `/var/log_keep': Device or resource busy >>> 

How can I stop all syslog please help

Thk.

From Thailand

Unfortunately I found out that symbolic links doesn't fix the whole problem, that was a tiny /var/log partition. Any new file on /var/log will go to the 300MB partition, and in a matter of days/weeks we'll end up with no empty space, even if you have 80GB+ free space on /var. The messages and firewall files (big ones) are daily zipped on /var/log, and as they are new files they are not linked to the other log dir. With symlinks you should cron a daemon that daily moves the .gz to the other dir, create links, etc. etc. boring and not nice

Besides that, there is some problem with rrdtool collectd, that fills out the messages file in a matter of hours. In one day I got a 300MB messages file!!!

The best way could be GParted runned from LiveCD, but I neither have the time nor interest on wasting time on changing the partitions.

What I tried is to modify the /etc/fstab file to remove the /var/log partition, so this way /var/log will use the space on /var.
That file links partitions to system directories, so I changed /var/log linkage point. The drawback is that I lose those 300 megs, the good thing is that is easy to do:

1- Stop as much services as you can on Endian GUI (maybe left SSH)
2- On console, create a backup copy of /var/log:  cp -p -r /var/log /var/logBackup. You alternatively can create a log backup on GUI (i think).
3- Edit fstab file: nano /etc/fstab. You will see the linkage for /var/log. Change the linkage to other dir. I changed /var/log to /var/log2. This way /var/log isn't a linkage point anymore, so it takes space from /var, the main partition plenty of space.
4- reboot
5- Copy the backed up log files. cp -p -r /var/logBackup /var/log. Or restore the backup from GUI.
6- reboot again
7- Delete backup logs: rm -R logBackup/ (step not needed if you backed up from GUI)
8- Re-enable all services on Endian GUI. Reboot if you want.
9- You can check on console that now the logs take space from /var, and not from the old /var/log. Use df -h command to see the free space.

Warning! This is a dirty not fully tested workaround!!! Maybe editing the fstab file wrecks something, so far I don't see anything strange.
But now I have the full 68GB to waste on logs, so I'm happy. I'll tell if I have any side effects on the firewall.

I will have to give it a try this evening when I get home.  It seems like a valid way of doing it and I don't really have anything to lose.  I have already gone through a re-install twice after hosing things up.

I had a lot of trouble with this.  Maybe I did something wrong, as I have mentioned, I am no Linux guru, but this hosed up a LOT of things on the system.  Since most of the .conf files point to /var/log a lot of things continued to write there while others broke altogether (httpd, snort, squid, and clam just to name a few).  I changed the fstab file back the way it was and restored from the backup I made just before I started monkeying with it and things are back to "normal" just have the full log problem once more.  Again, this could have been something I did, but I'm not about to try hacking on it again.  I will wait for an official fix from Endian.

very easy to keep /var/log

change destination log to other partition -> /var

by edit /etc/syslog/syslog.conf.tmpl

good luck