RE: [syslog-ng] prune identical messages
I don't get a "duplicate messages suppressed" log when I have multiple entries. Is there an option I need to turn on or is there a certain threshold for this feature to engage? I could really use this type of suppression for some logs that I actively alert on. Alex -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Richard Legault Sent: Monday, March 27, 2006 2:27 PM To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] prune identical messages But the message repeating does not give you any new information so it is a waste of diskspace to store it. Because It is just as helpfull to say foo1: ssh connection from 129.257.10.4 foo1: 2,348 duplicate messages suppressed then to say foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 ... foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 I only want to throttle the part that writes the message to the disk. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: March 27, 2006 2:59 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] prune identical messages On Mon, 27 Mar 2006 14:25:51 EST, Richard Legault said:
How can I prevent a log from being written that is identical to the log message that immediately preceded it. I would like to throttle those messages so that they can only be printed once every 10 minutes, those occurring between would simply be dropped.
You *don't* want to simply drop them. For instance, there's a *big* difference between: foo1: ssh connection from 129.257.10.4 and foo1: ssh connection from 129.257.10.4 foo1: 2,348 duplicate messages suppressed Similarly, how would your response differ for: frobozz13: Correctable ECC error detected on board 4, SIMM 7. and frobozz13: Correctable ECC error detected on board 4, SIMM 7. frobozz13: 1,438,598 duplicate messages suppressed _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
You need to use a tool like sec.pl which is a perl script used to make correlation. It is really simple to use and can transform a long list of similar event occured during a define time to a unique line saying there was xx unsuccesfull attempt of logging with root account during the last xx min or xx hours... JF SOLIS, ALEX wrote:
I don't get a "duplicate messages suppressed" log when I have multiple entries. Is there an option I need to turn on or is there a certain threshold for this feature to engage?
I could really use this type of suppression for some logs that I actively alert on.
Alex
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Richard Legault Sent: Monday, March 27, 2006 2:27 PM To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] prune identical messages
But the message repeating does not give you any new information so it is a waste of diskspace to store it. Because It is just as helpfull to say foo1: ssh connection from 129.257.10.4 foo1: 2,348 duplicate messages suppressed
then to say foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 ... foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4 foo1: ssh connection from 129.257.10.4
I only want to throttle the part that writes the message to the disk.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: March 27, 2006 2:59 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] prune identical messages
On Mon, 27 Mar 2006 14:25:51 EST, Richard Legault said:
How can I prevent a log from being written that is identical to the
log message
that immediately preceded it. I would like to throttle those messages
so that
they can only be printed once every 10 minutes, those occurring
between would
simply be dropped.
You *don't* want to simply drop them.
For instance, there's a *big* difference between:
foo1: ssh connection from 129.257.10.4
and
foo1: ssh connection from 129.257.10.4 foo1: 2,348 duplicate messages suppressed
Similarly, how would your response differ for:
frobozz13: Correctable ECC error detected on board 4, SIMM 7.
and
frobozz13: Correctable ECC error detected on board 4, SIMM 7. frobozz13: 1,438,598 duplicate messages suppressed _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (2)
-
jf
-
SOLIS, ALEX