LogAnalysis
[logs] Is "last message repeated n times" anything good? Mar 18 2008 10:11AM
Rainer Gerhards (rgerhards hq adiscon com)
Hi all,

I am the author of rsyslog (http://www.rsyslog.com), a GPLed enhanced
syslogd. I am currently developing the v3 version and would appreciate
feedback on the "last message repeated n times" feature.

In order to be backwards-compatible with sysklogd, rsyslog supports the
"last message repeated n times" message compression feature. However,
this feature is prone to causing user trouble. Some even think that it
is a design flaw (there has been some previous discussion on this list,
this posting is probably a good entry point into a lengthy thread:
http://www.loganalysis.org/pipermail/loganalysis/2008-January/000547.htm

l ).

>From the rsyslog core engine point of view, "last message repeated n
times" is quite costly in terms of code complexity and even performance.
There is a -e command line switch to turn it off, which most users seem
to use (and those that don't use it often seem to run into troubles).

I am very tempted to DROP this feature from future builds. That would
result in a great code complexity reduction (really, it takes a lot of
effort...) and probably also rid rsyslog of a standard trouble spot.
However, it also means that its compression features is no longer
available. As far as I know (which is not very far ;)) syslog-ng does
not support that feature at all.

Before I drop the feature, I'd like to receive as broad feedback as
possible from potential users.
Does anybody actually need this feature? If so, why is it good?

Please provide feedback.

Thanks,
Rainer

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus