At 18:02 2004-10-30 -0500, Gerald V. Livingston II did say:
[I previously said:]
> This is, JFTR, MTA-only logging, so SA crap.
BTW, that was supposed to say "no SA crap."
Mail server logs here run from 75M to 130M daily. This is SMTP *only* (it's
a <sigh> Windows IMail server) -- all POP and other logging for the server
is turned off.
The spam filter logs (Declude JunkMail) run another 80M to 140M daily.
BTW, the SMTP-time tempfail approach is making a comeback, this time in the
form of a sendmail milter:
<http://hcpnet.free.fr/milter-greylist/README>
This approach involves a LOT less CPU time, and in the case of initial
rejects, considerably less bandwidth. I haven't started using it, since
the host I'd most likely run those experiments on happens to be a relay MX
for someone, and my test host is presently out in a non-networked workared
since I've recently moved to new digs and I'll be building the new office
and laying cable in the springtime.
I'm putting together another machine to start logging using a syslog daemon
again. That's what I was doing on the old system with smaller drives. Used
a syslogd on a separate computer to save logs to a dedicated (old) 10G
drive. It runs internal network bandwidth way up but relieves the beating
the mail server drives are already taking while processing that much mail.
One solution to internal network bandwidth issues: install a second NIC in
the machines, and run that on a separate network (incl. private IP space),
so the syslog data is physically segregated.
BTW, remote syslogging has another significant benefit: the syslog host can
be stripped down to virtually no services and heavily firewalled (for
instance, allowing only traffic from local hosts, which is easy enough if
it's on a pricate IP space and itself isn't even physically connected to
the internet). If a logged host is compromised, the attacker cannot
successfully _EDIT_ the logfiles, since the events already emitted to the
syslog have already been emitted to that other host.
(On a similar basis, remote weblogging allows for a consolodated log when
dealing with a server farm, but that's way OT here).
[snip - your hardware purchased very similarly mirrored my own back when -
I quickly got over the QIC drives, as their data retention _sucked_, and
much of the hardware I started with I'd piecemealed in exchange for
contract work - I've still got five USR Courier D/S V.* modems here, though
I don't use 'em]
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail