Hello, we are using syslog-ng on our servers and we are quite satiesfied with it. But there is still one question open for me: is there any kind of flood protection like the old syslog has? One stupid program got mad and flooded our logs until the harddisk was full. I want to have the same as that: Nov 18 15:58:56 tv2 user: allwaysthesame Nov 18 15:58:56 tv2 last message repeated 137 times No way to configure this behaviour? Thanks, Thomas
On Wed, 2003-11-19 at 04:02, Thomas Vögtle wrote:
I want to have the same as that: Nov 18 15:58:56 tv2 user: allwaysthesame Nov 18 15:58:56 tv2 last message repeated 137 times
One problem with this feature is that it can only work if the last 137 syslog events to occur were the same event. We run a large centralized syslog server environment, with lots of syslog clients, and as such this sort of limiting feature never really gets to work, as it's quite rare for one event to occur record after record without some other client squirting in a new record. Oh well... Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Jason Haar wrote:
One problem with this feature is that it can only work if the last 137 syslog events to occur were the same event. We run a large centralized syslog server environment, with lots of syslog clients, and as such this sort of limiting feature never really gets to work, as it's quite rare for one event to occur record after record without some other client squirting in a new record.
OK, but if you run syslog-ng local, and only logging local logs, then it is easy to fill the harddisk with logger. With a good flood protection it is more difficult. Greetings
On Wed, Nov 19, 2003 at 11:55:40AM +0100, Thomas Vgtle wrote:
Jason Haar wrote:
One problem with this feature is that it can only work if the last 137 syslog events to occur were the same event. We run a large centralized syslog server environment, with lots of syslog clients, and as such this
OK, but if you run syslog-ng local, and only logging local logs, then it is easy to fill the harddisk with logger. With a good flood protection it is more difficult.
I cannot be 100% certain, but I am reasonably certain that syslog-ng does not have this compression of the logs. One could use swatch (or other log monitoring/reduction tools) to do this on the fly. Or an ultra lazy (though not as effective) way would be to log via pipes only and run gzip or bzip2 from the pipes to the disk. Honestly though, the point above about multiple log lines applies just a well to the local machine. *Most* things log more than one line repeatatively, syslogd doesn't handle this either. Log reduction programs are about the only thing that will. The upshot is while they are reducing your logs they could also page/email you to inform you that there is a problem. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary (_)/(_) Joyously Canadian Computer Science
participants (3)
-
Brad Arlt
-
Jason Haar
-
Thomas Vögtle