[syslog-ng] prune identical messages
SOLIS, ALEX
asolis at oppd.com
Mon Mar 27 22:43:01 CEST 2006
I don't get a "duplicate messages suppressed" log when I have multiple
entries. Is there an option I need to turn on or is there a certain
threshold for this feature to engage?
I could really use this type of suppression for some logs that I
actively alert on.
Alex
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Richard Legault
Sent: Monday, March 27, 2006 2:27 PM
To: Syslog-ng users' and developers' mailing list
Subject: RE: [syslog-ng] prune identical messages
But the message repeating does not give you any new information so it is
a waste of diskspace to store it.
Because It is just as helpfull to say
foo1: ssh connection from 129.257.10.4
foo1: 2,348 duplicate messages suppressed
then to say
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
...
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
foo1: ssh connection from 129.257.10.4
I only want to throttle the part that writes the message to the disk.
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu]On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: March 27, 2006 2:59 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] prune identical messages
On Mon, 27 Mar 2006 14:25:51 EST, Richard Legault said:
> How can I prevent a log from being written that is identical to the
log message
> that immediately preceded it. I would like to throttle those messages
so that
> they can only be printed once every 10 minutes, those occurring
between would
> simply be dropped.
You *don't* want to simply drop them.
For instance, there's a *big* difference between:
foo1: ssh connection from 129.257.10.4
and
foo1: ssh connection from 129.257.10.4
foo1: 2,348 duplicate messages suppressed
Similarly, how would your response differ for:
frobozz13: Correctable ECC error detected on board 4, SIMM 7.
and
frobozz13: Correctable ECC error detected on board 4, SIMM 7.
frobozz13: 1,438,598 duplicate messages suppressed
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
More information about the syslog-ng
mailing list