In my never-ending quest for "the thing that keeps accessing my disk", I finally did the obvious thing and looked at /var/log. That gave me quite a shock! Some of the log files were filled with endless repeats of the same things: junk from NetworkManager and broadcast packages blocked by IPTables. This might explain the regular disk accesses, but for sure it makes the log files unreadable and therefore useless.
Configuring syslog-ng (edit /etc/syslog-ng.conf)) isn't difficult, but the documentation (man syslog-ng.conf) leaves a lot to be desired.
To filter out the NetworkManager junk, I added this line:
filter f_nm { not program(NetworkManager); };Then I added this filter to the log files in which the junk appears, for example:
log { source(src); filter(f_messages); filter(f_nm); destination(messages); };I also disabled the (huge) log file "everything" completely by putting a # in front of its "log" line.
To filter out the iptables blocked broadcast stuff, I added this filter:
filter f_router { not match(ma:ca:dd:re:ss:of:ro:ut:er); };But it doesn't work. Because the patterns are regular expressions, I guess it needs \ 's before the : 's. But I don't know, because the type of regular expressions that is used isn't specified anywhere. I'll just try it and see what happens.
Tip to be continued!
Why do you log blocked
Why do you log blocked broadcasts anyway? If you cannot avoid having broadcasts on your network and don't want to receive them just block and ignore. I don't think a broadcast is important enough to be logged, there are other things that deserve much more attention than that.