[syslog-ng] prune identical messages
Richard Legault
rlegault at sandvine.com
Mon Mar 27 22:26:41 CEST 2006
But the message repeating does not give you any new information so it is a waste of diskspace to store it.
Because It is just as helpfull to say
foo1: ssh connection from 129.257.10.4
foo1: 2,348 duplicate messages suppressed
then to say
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
...
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
I only want to throttle the part that writes the message to the disk.
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu]On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: March 27, 2006 2:59 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] prune identical messages
On Mon, 27 Mar 2006 14:25:51 EST, Richard Legault said:
> How can I prevent a log from being written that is identical to the log message
> that immediately preceded it. I would like to throttle those messages so that
> they can only be printed once every 10 minutes, those occurring between would
> simply be dropped.
You *don't* want to simply drop them.
For instance, there's a *big* difference between:
foo1: ssh connection from 129.257.10.4
and
foo1: ssh connection from 129.257.10.4
foo1: 2,348 duplicate messages suppressed
Similarly, how would your response differ for:
frobozz13: Correctable ECC error detected on board 4, SIMM 7.
and
frobozz13: Correctable ECC error detected on board 4, SIMM 7.
frobozz13: 1,438,598 duplicate messages suppressed
More information about the syslog-ng
mailing list