[syslog-ng] prune identical messages
jf
tilaris at wanadoo.fr
Mon Mar 27 23:21:22 CEST 2006
You need to use a tool like sec.pl which is a perl script used to make
correlation. It is really simple to use and can transform a long list of
similar event occured during a define time to a unique line saying there
was xx unsuccesfull attempt of logging with root account during the last
xx min or xx hours...
JF
SOLIS, ALEX wrote:
>I don't get a "duplicate messages suppressed" log when I have multiple
>entries. Is there an option I need to turn on or is there a certain
>threshold for this feature to engage?
>
>I could really use this type of suppression for some logs that I
>actively alert on.
>
>Alex
>
>
>
>-----Original Message-----
>From: syslog-ng-bounces at lists.balabit.hu
>[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Richard Legault
>Sent: Monday, March 27, 2006 2:27 PM
>To: Syslog-ng users' and developers' mailing list
>Subject: RE: [syslog-ng] prune identical messages
>
>But the message repeating does not give you any new information so it is
>a waste of diskspace to store it.
>Because It is just as helpfull to say
>foo1: ssh connection from 129.257.10.4
>foo1: 2,348 duplicate messages suppressed
>
>then to say
>foo1: ssh connection from 129.257.10.4
>foo1: ssh connection from 129.257.10.4
>foo1: ssh connection from 129.257.10.4
>foo1: ssh connection from 129.257.10.4
>...
>foo1: ssh connection from 129.257.10.4
>foo1: ssh connection from 129.257.10.4
>foo1: ssh connection from 129.257.10.4
>foo1: ssh connection from 129.257.10.4
>
>I only want to throttle the part that writes the message to the disk.
>
>
>-----Original Message-----
>From: syslog-ng-bounces at lists.balabit.hu
>[mailto:syslog-ng-bounces at lists.balabit.hu]On Behalf Of
>Valdis.Kletnieks at vt.edu
>Sent: March 27, 2006 2:59 PM
>To: Syslog-ng users' and developers' mailing list
>Subject: Re: [syslog-ng] prune identical messages
>
>
>On Mon, 27 Mar 2006 14:25:51 EST, Richard Legault said:
>
>
>>How can I prevent a log from being written that is identical to the
>>
>>
>log message
>
>
>>that immediately preceded it. I would like to throttle those messages
>>
>>
>so that
>
>
>>they can only be printed once every 10 minutes, those occurring
>>
>>
>between would
>
>
>>simply be dropped.
>>
>>
>
>You *don't* want to simply drop them.
>
>For instance, there's a *big* difference between:
>
>foo1: ssh connection from 129.257.10.4
>
>and
>
>foo1: ssh connection from 129.257.10.4
>foo1: 2,348 duplicate messages suppressed
>
>Similarly, how would your response differ for:
>
>frobozz13: Correctable ECC error detected on board 4, SIMM 7.
>
>and
>
>frobozz13: Correctable ECC error detected on board 4, SIMM 7.
>frobozz13: 1,438,598 duplicate messages suppressed
>_______________________________________________
>syslog-ng maillist - syslog-ng at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>
>This e-mail contains Omaha Public Power District's confidential and proprietary information and is for use only by the intended recipient. Unless explicitly stated otherwise, this e-mail is not a contract offer, amendment, nor acceptance. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
>
>_______________________________________________
>syslog-ng maillist - syslog-ng at lists.balabit.hu
>https://lists.balabit.hu/mailman/listinfo/syslog-ng
>Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
>
>
>
More information about the syslog-ng
mailing list