[Snort-users] Re: Free Inodes

Nigel Houghton nigel at ...1935...
Wed Jun 8 19:02:30 EDT 2005


First of all, I apologize for the length of this message, I just
included all the replies and the original message purely for the mail
archive being a little more readable.

I-Nodes gentlemen, are the actual issue here. What you are all failing 
to mention is that a partition not only relies on the size given to it 
but the size of the inodes allowed. Thus, a 10 Gig partition with an 
inode size of 1024 will hold considerably more files than the same 
partition with an inode size of 4096, quite possibly, four times as
many files.

When folks run out of inodes, it rarely means they are out of disk
space, more than likely they have a larger inode size and a lot of very
small files hanging around. The default inode size in a FreeBSD install
is IIRC 2048, although I haven't done an install using the defaults in a
very long time. There are many things that can suck up room in /var,
mail messages, mail logs, anti-virus logs,
installing/deinstalling/modifying ports, updating the system and running
mergemaster, etc... You should look around in /var and see what is
taking up those inodes. ( man df should help you out here )

Having said all that, there is nothing wrong with adding another hard
drive and logging your snort events, and only your snort events, to that
drive if you so wish. You could also use that second drive as the whole
/var partition, just edit your fstab correctly and you should be good to
go after un-mounting and re-mounting the new partion. ( this is probably
best achieved by a reboot for the inexperienced user, since nasty things
can happen to the unwary )

For what it's worth, the defaults used when partitioning a drive in the
FreeBSD install are meant as a guide and should not be relied on for
special applications, as one of the replies below mentioned.

> Today's Topics:
> 
>    1. Free Inodes (Dan Mahoney, System Admin)
>    3. Re: Free Inodes (Jason)
>    4. Re: Free Inodes (J-H Johansen)
>    8. Re: Free Inodes (Dan Mahoney, System Admin)
>    9. Re: Free Inodes (Matt Kettler)
> 
> --__--__--
> 
> Message: 1
> Date: Wed, 8 Jun 2005 00:39:16 -0400 (EDT)
> From: "Dan Mahoney, System Admin" <danm at ...6608...>
> To: Snort Mailing List <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Free Inodes
> 
> I know the whole "I'm running out of inodes" thing is in the FAQ.
> 
> What I don't understand is why a potentially large directory is put in 
> what is one of the typically smallest directories.
> 
> How can I change this directory?  Under FreeBSD I've tried a symlink from 
> /usr/local/var/log/snort to /var/log/snort but it looks like that's blown 
> away and replaced by a real directory at snort startup.
> 
> I'm less thrilled by the idea of moving all of /var/log under /usr to fix 
> this.
> 
> Is there a config file I can tweak to handle this?
> 
> Also, I figure I can clean out the directory with a periodic cron tab 
> (every five minutes)
> 
> find / -atime +1h -delete
> 
> Will this break things?
> 
> -Dan
> 
> --__--__--
> 
> Message: 3
> Date: Wed, 08 Jun 2005 01:32:06 -0400
> From: Jason <security at ...5028...>
> To: "Dan Mahoney, System Admin" <danm at ...6608...>
> CC: Snort Mailing List <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Free Inodes
> 
> 
> 
> Dan Mahoney, System Admin wrote:
> > I know the whole "I'm running out of inodes" thing is in the FAQ.
> > 
> > What I don't understand is why a potentially large directory is put in 
> > what is one of the typically smallest directories.
> 
> I'm confused by this statement. Why wouldn't the logs be placed under 
> /var/log?
> 
> > 
> > How can I change this directory?  Under FreeBSD I've tried a symlink 
> > from /usr/local/var/log/snort to /var/log/snort but it looks like that's 
> > blown away and replaced by a real directory at snort startup.
> > 
> > I'm less thrilled by the idea of moving all of /var/log under /usr to 
> > fix this.
> > 
> > Is there a config file I can tweak to handle this?
> 
> http://www.snort.org/docs/snort_htmanuals/htmanual_233/node10.html
> 
> > 
> > Also, I figure I can clean out the directory with a periodic cron tab 
> > (every five minutes)
> > 
> > find / -atime +1h -delete
> > 
> > Will this break things?
> 
> no
> 
> > 
> > -Dan
> > 
> --__--__--
> 
> Message: 4
> Date: Wed, 8 Jun 2005 13:45:42 +0200
> From: J-H Johansen <ondemannen at ...11827...>
> Reply-To: J-H Johansen <ondemannen at ...11827...>
> To: "Dan Mahoney, System Admin" <danm at ...6608...>
> Subject: Re: [Snort-users] Free Inodes
> Cc: Snort Mailing List <snort-users at lists.sourceforge.net>
> 
> >
> > find / -atime +1h -delete
> >
> > Will this break things?
> 
> Well, that depends if you're root or not.
> 
> Just to make sure you don't delete something you'd rather not delete.
> I'd opt for the following (although I don't have the delete argument
> on my Solaris, so I pipe it to xargs rm -f)
> 
> find /path/to/dir -atime +1h -name file-name.to_lookfor\* -delete
> 
> 
> --=20
> J-H Johansen
> 
> --__--__--
> 
> 
> Message: 8
> Date: Wed, 8 Jun 2005 11:13:52 -0400 (EDT)
> From: "Dan Mahoney, System Admin" <danm at ...6608...>
> To: Jason <security at ...5028...>
> cc: Snort Mailing List <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Free Inodes
> 
> On Wed, 8 Jun 2005, Jason wrote:
> 
> >
> >
> > Dan Mahoney, System Admin wrote:
> >> I know the whole "I'm running out of inodes" thing is in the FAQ.
> >> 
> >> What I don't understand is why a potentially large directory is put in what 
> >> is one of the typically smallest directories.
> >
> > I'm confused by this statement. Why wouldn't the logs be placed under 
> > /var/log?
> 
> Just to clarify, because under most systems with a separate /var 
> partition (the BSD default install included), this directory is on the 
> smaller size, and has an inode count 
> to match.
> 
> -Dan
> 
> 
> >
> >> 
> >> How can I change this directory?  Under FreeBSD I've tried a symlink from 
> >> /usr/local/var/log/snort to /var/log/snort but it looks like that's blown 
> >> away and replaced by a real directory at snort startup.
> >> 
> >> I'm less thrilled by the idea of moving all of /var/log under /usr to fix 
> >> this.
> >> 
> >> Is there a config file I can tweak to handle this?
> >
> > http://www.snort.org/docs/snort_htmanuals/htmanual_233/node10.html
> >
> >> 
> >> Also, I figure I can clean out the directory with a periodic cron tab 
> >> (every five minutes)
> >> 
> >> find / -atime +1h -delete
> >> 
> >> Will this break things?
> >
> > no
> >
> >> 
> >> -Dan
> >> 
> >> -- 
> >> 
> >> "A single death is a tragedy.  A million deaths is a statistic."
> >> 
> >> -Josef Stalin, As quoted on the cover to Savatage's "Dead Winter Dead"
> >> 
> 
> --__--__--
> 
> Message: 9
> Date: Wed, 08 Jun 2005 11:56:45 -0400
> From: Matt Kettler <mkettler at ...4108...>
> To: "Dan Mahoney, System Admin" <danm at ...6608...>
> CC: Snort Mailing List <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Free Inodes
> 
> Dan Mahoney, System Admin wrote:
> > On Wed, 8 Jun 2005, Jason wrote:
> > 
> >>
> >>
> >> Dan Mahoney, System Admin wrote:
> >>
> >>> I know the whole "I'm running out of inodes" thing is in the FAQ.
> >>>
> >>> What I don't understand is why a potentially large directory is put
> >>> in what is one of the typically smallest directories.
> >>
> >>
> >> I'm confused by this statement. Why wouldn't the logs be placed under
> >> /var/log?
> > 
> > 
> > Just to clarify, because under most systems with a separate /var
> > partition (the BSD default install included), this directory is on the
> > smaller size, and has an inode count to match.
> > 
> 
> And IMHO, such setups make for good workstations, are tolerable as servers, but
> make really lousy firewalls, mailservers, or IDS boxes. (I usually find that I
> want a bit more /var/log space on my servers than default setups do)
> 
> The default partition setup in most OS distributions tries to split a balance,
> but it's not appropriate for all situations. Most of these default setups have
> large /home and /usr partitions too. That's fine for a multi-user personal
> webpage server or workstation, but is useless on a dedicated DNS server.
> 
> When setting up a box, treat the default partitions as a baseline, but consider
> the usage of the box.
> 
> Is the box going to have local users? If not, drop the size of /home (unless
> your chroot jails live there).
> 
> Is the box going to run a busy server that will log a lot? If so, increase /var.
> 
> Is it going to be a mailserver (smtp and pop/imap)? If so, increase /var
> significantly for spool and mqueue space.
> 
> Is it going to have a lot of applications installed (ie: workstation)? If so,
> increase /usr. If it's going to be a dedicated box you can probably cut back
> /usr a bit from the default, but keep it reasonably large.
> 
> As an example, look at this mail/dns server. It's a no-logins box (other than
> sysadmins) so /var is twice the size of /home:
> 
> Filesystem           1K-blocks      Used Available Use% Mounted on
> /dev/sda6              7060276   1155440   5546188  18% /
> /dev/sda1               101089     13293     82577  14% /boot
> /dev/sda5              5036284     50452   4730000   2% /var/chroot
> /dev/sda7              4538124    338744   3968852   8% /home
> /dev/sda8              1510032     32892   1400432   3% /tmp
> /dev/sda2             10080520   1361044   8207408  15% /usr
> /dev/sda3              9068648    489652   8118336   6% /var
> 
> And note that the use percentages here are fairly even. A default install would
> have a really small /var, maybe 1gb, and it would be 50% used. /home would be
> 10gb, and about 4% used. Clearly that space allocation would not be well suited
> to what the box is used for.
> 
> Is that my MTA's fault? No. Mail spools belong in /var and take up a lot of
> space. Partition appropriately.
> 

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!




More information about the Snort-users mailing list