On Wed, Nov 19, 2003 at 11:55:40AM +0100, Thomas Vgtle wrote:
Jason Haar wrote:
One problem with this feature is that it can only work if the last 137 syslog events to occur were the same event. We run a large centralized syslog server environment, with lots of syslog clients, and as such this
OK, but if you run syslog-ng local, and only logging local logs, then it is easy to fill the harddisk with logger. With a good flood protection it is more difficult.
I cannot be 100% certain, but I am reasonably certain that syslog-ng does not have this compression of the logs. One could use swatch (or other log monitoring/reduction tools) to do this on the fly. Or an ultra lazy (though not as effective) way would be to log via pipes only and run gzip or bzip2 from the pipes to the disk. Honestly though, the point above about multiple log lines applies just a well to the local machine. *Most* things log more than one line repeatatively, syslogd doesn't handle this either. Log reduction programs are about the only thing that will. The upshot is while they are reducing your logs they could also page/email you to inform you that there is a problem. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) Joyously Canadian Computer Science