[syslog-ng] prune identical messages
Richard Legault
rlegault at sandvine.com
Mon Mar 27 23:54:40 CEST 2006
I would prefer the message suppressed if possible as it gives more information, sorry for not being specific.
So is it possible to have the suppressed message. As I have not seen any such option?
Richard
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu]On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: March 27, 2006 4:42 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] prune identical messages
On Mon, 27 Mar 2006 15:26:41 EST, Richard Legault said:
> But the message repeating does not give you any new information so it is a wa
ste of diskspace to store it.
> Because It is just as helpfull to say
> foo1: ssh connection from 129.257.10.4
> foo1: 2,348 duplicate messages suppressed
*exactly*. But what you asked for was (your words now):
"those occurring between would simply be dropped."
Producing a "duplicate messages suppressed" is *not* "simply dropping".
Also, notice that if you have an interleaved series of 2 or more message
streams that are identical to themselves but not each other, you can get this:
foo1: message 1
foo1: message 2
foo1: message 3
foo1: message 2
foo1: message 3
foo1: message 1
foo1: message 3
and so on - this requires keeping a copy of the last N messages rather than
just the last single one to do it correctly. Proper choice of N to prevent
being DoS'ed by an out-of-memory when flooded by a mass of non-identical
messages is left as an exercise for the student....
More information about the syslog-ng
mailing list