[syslog-ng] prune identical messages
Tom Le
dottom at gmail.com
Tue Mar 28 00:18:09 CEST 2006
Rich,
Syslog compression (i.e. the "-c" switch in other flavors of syslogd) is the
one feature not available in syslog-ng that is available in other versions
of syslogd. My understand is this feature might be added in a future
release.
The other responses to this thread are saying that turning on syslog
compression removes the volume component from your log which is important
for determining security or IT relevance of an event.
In some environments, admins are forced to enable compression because
certain systems are verbose (e.g. forwarding firewall/VPN traffic logs,
kerberos ticketing environments, etc.).
Consider an approach where you rewrite the raw logs to a summarized version
that does aggregation to preserve the volume/frequency data. For example,
each day after log rotation, run a Perl script to rewrite the log.
Tom
On 3/27/06, Richard Legault <rlegault at sandvine.com> wrote:
>
> How can I prevent a log from being written that is identical to the log
> message that immediately preceded it.
> I would like to throttle those messages so that they can only be printed
> once every 10 minutes, those occurring between would simply be dropped.
>
> Richard Legault
> Senior Engineer
> 519-880-2400 ext 2722
> www.sandvine.com
>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060327/e36f8d63/attachment.htm
More information about the syslog-ng
mailing list