On Tue, 23 Sep 2014, Michael Hart wrote:
I have RepeatedMsgReduction set to on, and several rulesets forwarding logs in
different directions. Running rsyslog 7.4.5 on Ubuntu 12.04 LTS. A small sample:
ruleset(name=“mikesstream"){
action(type="omfwd"
name=“mikestreamstream"
target=“10.20.30.40"
port="1514"
protocol="tcp"
template=“MikesFormat"
)
stop
}
input(type="imtcp" port=“1514" ruleset=“mikesstream")
And then the regular more or less default save-to-local-file rulesets. The
problem is with repeated messages. If someone sends the same message repeated
several times to port 1514, rsyslog correctly detects that, but it doesn’t
forward that message using my ruleset, the message with "message repeated 2
times:” in it is now saved to local file. My assumption is that if rsyslog
catches multiple messages within a ruleset, it can add the “message repeated X
times:” in the message, but the rest of the ruleset should still apply. Is my
assumption correct?
The simple fix is to turn of RepeatedMsgReduction, but I’m hesitant to do so
as the senders can be quite noisy.
My suggestion is to turn it off.
Any log analysis software you have will ignore or be confused by the "last
message repeates x times" message.
Back in the days when syslog was only on a signle system, with low enough usage
that people would review logs manually it made sense, but any alerting system
that you have that wants to alert if something happens too many times needs to
see the raw messages.
the message "last message repeated X times" will actually very seldom appear
after the message it refers to if you have many systems reporting their logs to
one place.
Think a bit about what your reason is for wanting this. If it's disk space, then
turning on compression will end up saving you far more disk space without the
other drawbacks of this approach.
If you really have a system that is commonly generating a lot of identical logs,
with no other logs between them (which is actually a fairly rare thing), then
you need to tink of a few other things
1. Is this a log message that's actually worth logging? or should you have a
filter to throw this log away to keep it from cluttering your logs.
2. if this really is something that's important to log, would the "last message
repeated X times" version actually do you any good?
3. you can always have a filter that spits these particular logs out to a script
to do something better in terms of combining them (and then that script can
generate a combined log message)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
