[Box-Admins] The story from the log files
Chris Cunnington
smalltalktelevision at gmail.com
Thu Oct 25 17:04:25 UTC 2012
On 2012-10-25 12:50 PM, Levente Uzonyi wrote:
> On Thu, 25 Oct 2012, Chris Cunnington wrote:
>
>> OK, I made some changes. We now have a stanza that looks like this.
>> [1] I played with the <Proxy></Proxy> directive a bit. The result was
>> to have requests return as 404. With the RewriteRule they all return
>> 403. [2] Our log file is growing at about ~20M an hour. There are
>> LogFormat directives in apache2.conf, but no CustomLog directory. It
>> has rolled over onto another file once in the past (i.e.
>> other_vhosts_access.log.1 from other_vhosts_access.log), but I'm not
>> sure from where.
>>
>> I take it that with the 403 requests shown in the log [2] that the
>> pressure is off the Jenkins server but not off our logging apparatus.
>> I think it is clear that the apache2.conf file we received is shorter
>> than usual, shorter than the httpd.conf I'm used to in CentOS. And
>> that with the high amount of traffic we are experiencing, we seem to
>> be in a shipping lane.
>
> I don't know how is it done on CentOS, but on Debian/Ubuntu the apache
> configuration file is split up into several parts (separate
> files/directories). The apache.conf only has server specific settings
> and shouldn't include anything else. Each site has it's own config
> file (in /etc/apache2/sites-available/) and optionally log files
> (usually in /var/log/apache2/). The config should include the
> following lines for separate log files:
>
> CustomLog ${APACHE_LOG_DIR}/jenkins-access.log combined
> ErrorLog ${APACHE_LOG_DIR}/jenkins-error.log
>
> Log files are rotated via logrotate, once a day by default.
Several files instead of one big file. OK. The /sites-available/default
does have a CustomLog directive.
>
> I doubt logging is a bottleneck, but using a separate log file is
> useful. It would be good to check the error.log to see if apache is
> low on resources (or not). Also "top -d 1" can give you hints about
> what's eating up CPU/memory, or what's waiting for the disk for too long.
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15277 lewis 20 0 1028m 89m 1300 R 2.0 8.9 18:15.60 squeakvm
1 root 20 0 2032 652 556 S 0.0 0.1 0:15.83 init
lewis 15277 2.1 8.8 1053112 91572 pts/0 S 04:40 18:15
/usr/local/lib/squeak/4.10.5-2619/squeakvm -nodisplay
/home/lewis/VMUnixBuild/Squeak4.3.image
/home/lewis/VMUnixBuild/VMUnixBuild.st
That is consistently at the top of top -d 1. This VPS has 1G of RAM.
>
> It would also be good to reconfigure jenkins to listen on only the
> local interface (see the link in my previous mail) and add a firewall
> to the server. When I set up a server, I never leave ssh on port 22,
> but move it to a random port and drop all packets which are not
> intended to be received via iptables. This reduces the number of
> attack attempts to almost 0.
>
These are good ideas and greater system administration ideas. But for
today, I think the greater issue of Jenkins has been addressed. (As in,
I need a bit of a break.)
> Since I didn't find any easy to use firewall script, therefore I wrote
> my own init.d script for that. If there's interest in it, then I can
> make it available for download.
>
Yes. I would like to see that, please.
Chris
More information about the Box-Admins
mailing list