<div dir="ltr">I don't believe that syslog-ng can do that, but I use SEC (simple event correlator) for that purpose.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, May 22, 2014 at 10:55 AM, Evade Flow <span dir="ltr"><<a href="mailto:evadeflow@gmail.com" target="_blank">evadeflow@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>I'm trying to clean up the ad hoc logging in a collection of applications started on an embedded device using the daemon utility. Example:<br>
<br> /usr/bin/daemon --name=myapp --output=user.debug --chdir=/MyApp -- /MyApp/bin/myapp<br>
<br></div>There are 10 different applications started this way, written by different individuals/teams, and our syslog-ng.conf file currently looks something like this:<br><br>@version:3.3.6<br>source s_local { system(); internal(); };<br>
destination d_localfile { file("/var/log/messages" suppress(30)); };<br>log { source(s_local); destination(d_localfile); };<br><br></div>Because the --output=user.debug option to the daemon utility will cause the applications' stdout/stderr to be redirected to syslog, I'm a little worried about 'rogue' printf()'s filling up the logs with stuff like:<br>
<br>Jan 1 00:00:54 (none) myapp: Battery voltage is 11.07 volts<br>Jan 1 00:00:54 (none) myapp: Battery voltage is 11.10 volts<br>Jan 1 00:00:54 (none) myapp: Battery voltage is 11.07 volts<br>Jan 1 00:00:54 (none) myapp: Battery voltage is 11.14 volts<br>
Jan 1 00:00:54 (none) myapp: Battery voltage is 11.13 volts<br>Jan 1 00:00:55 (none) myapp: Battery voltage is 11.09 volts<br>Jan 1 00:00:55 (none) myapp: Battery voltage is 11.14 volts<br>...<br><br></div><div>Does syslog-ng support suppression of almost-but-not-quite identical messages? It would be nice to see something like this in the logs:<br>
<br>Jan 1 00:55:11 myapp: Battery voltage is 11.07 volts<br>Jan 1 00:55:14 myapp: Last message 'Battery voltage is 1' repeated with nearly identical content 418 times, suppressed by syslog-ng on flahblargle<br>
<br>
</div><div>A few of my colleagues have suggested that this is probably more trouble than it's worth, and we should just fix the spammy app(s) rather than try to 'outsmart' them. And I think I agree with them, but... it was my idea to move to syslog-ng, so there'll be a bit more egg on my face than theirs if we accidentally allow a rogue printf() in a hot loop somewhere to escape into production. `:-}<br>
<br></div><div>Any advice/insight much appreciated, thanks!<br></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>