[syslog-ng] Suppress almost-identical messages?

Evade Flow evadeflow at gmail.com
Thu May 22 19:55:58 CEST 2014 

I'm trying to clean up the ad hoc logging in a collection of applications
started on an embedded device using the daemon utility. Example:

   /usr/bin/daemon --name=myapp --output=user.debug --chdir=/MyApp --
/MyApp/bin/myapp

There are 10 different applications started this way, written by different
individuals/teams, and our syslog-ng.conf file currently looks something
like this:

@version:3.3.6
source s_local { system(); internal(); };
destination d_localfile { file("/var/log/messages" suppress(30)); };
log { source(s_local); destination(d_localfile); };

Because the --output=user.debug option to the daemon utility will cause the
applications' stdout/stderr to be redirected to syslog, I'm a little
worried about 'rogue' printf()'s filling up the logs with stuff like:

Jan  1 00:00:54 (none) myapp: Battery voltage is 11.07 volts
Jan  1 00:00:54 (none) myapp: Battery voltage is 11.10 volts
Jan  1 00:00:54 (none) myapp: Battery voltage is 11.07 volts
Jan  1 00:00:54 (none) myapp: Battery voltage is 11.14 volts
Jan  1 00:00:54 (none) myapp: Battery voltage is 11.13 volts
Jan  1 00:00:55 (none) myapp: Battery voltage is 11.09 volts
Jan  1 00:00:55 (none) myapp: Battery voltage is 11.14 volts
...

Does syslog-ng support suppression of almost-but-not-quite identical
messages? It would be nice to see something like this in the logs:

Jan  1 00:55:11 myapp: Battery voltage is 11.07 volts
Jan  1 00:55:14 myapp: Last message 'Battery voltage is 1' repeated with
nearly identical content 418 times, suppressed by syslog-ng on flahblargle

A few of my colleagues have suggested that this is probably more trouble
than it's worth, and we should just fix the spammy app(s) rather than try
to 'outsmart' them. And I think I agree with them, but... it was my idea to
move to syslog-ng, so there'll be a bit more egg on my face than theirs if
we accidentally allow a rogue printf() in a hot loop somewhere to escape
into production. `:-}

Any advice/insight much appreciated, thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140522/727b11c9/attachment.htm

More information about the syslog-ng mailing list