[syslog-ng]Re: Flood Protection

Brad Arlt syslog-ng@lists.balabit.hu
Wed, 19 Nov 2003 09:46:46 -0700


On Wed, Nov 19, 2003 at 11:55:40AM +0100, Thomas Vgtle wrote:
> Jason Haar wrote:
> > One problem with this feature is that it can only work if the last 137
> > syslog events to occur were the same event. We run a large centralized
> > syslog server environment, with lots of syslog clients, and as such this
> 
> OK, but if you run syslog-ng local, and only logging local logs, then it
> is easy to fill the harddisk with logger. With a good flood protection
> it is more difficult.

I cannot be 100% certain, but I am reasonably certain that syslog-ng
does not have this compression of the logs.

One could use swatch (or other log monitoring/reduction tools) to do
this on the fly.  Or an ultra lazy (though not as effective) way would
be to log via pipes only and run gzip or bzip2 from the pipes to the
disk.

Honestly though, the point above about multiple log lines applies just
a well to the local machine.  *Most* things log more than one line
repeatatively, syslogd doesn't handle this either.  Log reduction
programs are about the only thing that will.  The upshot is while they
are reducing your logs they could also page/email you to inform you
that there is a problem.
-----------------------------------------------------------------------
   __o		Bradley Arlt			Security Team Lead
 _ \<_		arlt@cpsc.ucalgary.ca		University Of Calgary
(_)/(_) 	Joyously Canadian	 	Computer Science