Hi, I've done a bit of searching on this mailing list and found some messages requesting a feature where duplicate messages are filtered/suppressed/summarised (I'm after the same thing). There appears to be a patch for syslog-ng 1.6.12 in openSUSE that addresses this for the older version. Is anyone actually working on this functionality for a 2.x release? I've got a proof of concept working on top of the latest 2.0.x git branch but before I get too carried away I wanted to check if anyone else is working on it (or if someone has already implemented it). Thanks, Chris
I've been after this since I switched to ng and realized this feature was not migrated over (for reasons beyond me since this was the only good feature of syslog !) I'd be very interested in having this ported to the 2.x branch but I'm not a programmer so I need to rely on you code gurus for that. Nice to see that someone is on it and I'd be happy to help test it ! On Mon, May 26, 2008 at 7:55 PM, chris packham < chris.packham@alliedtelesis.co.nz> wrote:
Hi,
I've done a bit of searching on this mailing list and found some messages requesting a feature where duplicate messages are filtered/suppressed/summarised (I'm after the same thing). There appears to be a patch for syslog-ng 1.6.12 in openSUSE that addresses this for the older version.
Is anyone actually working on this functionality for a 2.x release?
I've got a proof of concept working on top of the latest 2.0.x git branch but before I get too carried away I wanted to check if anyone else is working on it (or if someone has already implemented it).
Thanks, Chris
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- stucky
On Mon, 2008-05-26 at 20:05 -0700, stucky wrote:
I've been after this since I switched to ng and realized this feature was not migrated over (for reasons beyond me since this was the only good feature of syslog !) I'd be very interested in having this ported to the 2.x branch but I'm not a programmer so I need to rely on you code gurus for that. Nice to see that someone is on it and I'd be happy to help test it !
the problem with suppressing duplicate messages is that it loses too much information, and once you collect messages from several devices into the same file, the message "Last message repeated N times" does not really have too much information. You lose: * host information * timing * the message itself So analyzing this is almost impossible. I might integrate a patch that implements this, though. -- Bazsi
Bazsi I see your point but wouldn't it be possible to include the host info as well f.e. date host1 xxxxxxxxxxxxxx date host2 yyyyyyyyyyyyyy date host3 zzzzzzzzzzzzzz date host 1 xxxxxxxxxxxxx date host2 message repeated n times meaning that the last message host2 sent was repeated n times shortly after eventhough other hosts have sent stuff in the meantime as well. Or you could include the original message ( or at least the first few characters of it) itself in the repeat message like: host2 message "zzzzzzzzzzzzzzzzzzzzzzz" was repeated n times just throwing out ideas On Tue, May 27, 2008 at 9:25 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2008-05-26 at 20:05 -0700, stucky wrote:
I've been after this since I switched to ng and realized this feature was not migrated over (for reasons beyond me since this was the only good feature of syslog !) I'd be very interested in having this ported to the 2.x branch but I'm not a programmer so I need to rely on you code gurus for that. Nice to see that someone is on it and I'd be happy to help test it !
the problem with suppressing duplicate messages is that it loses too much information, and once you collect messages from several devices into the same file, the message "Last message repeated N times" does not really have too much information. You lose: * host information * timing * the message itself
So analyzing this is almost impossible. I might integrate a patch that implements this, though.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- stucky
participants (3)
-
Balazs Scheidler
-
chris packham
-
stucky