I don’t know about you, but I really hate this “last message repeated X times” on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”… For me, it is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so. A few reasons why:
- No log analysis tool will handle this correctly. Specially if we are talking about remote syslog.
- It buffers your logs so they are not in real time anymore.
- It doesn’t protect you against denial of service attacks (keep reading…)
- The last message can be this annoying “last message repeated” log.
To prove my point, this simple command on your Linux/Unix server: (it will generate a simple log every second)
$ while [ 1 ]; do logger "annoying..."; sleep 1; done
Wait a few minutes and check your log:
Dec 17 19:44:08 enigma dcid: annoying...
Dec 17 19:44:39 enigma last message repeated 31 times
Dec 17 19:46:40 enigma last message repeated 115 times
Dec 17 19:56:41 enigma last message repeated 589 times
The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more). Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time. Not very good for “real time” analysis (and down it goes on some compliance requirements).
As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:
$ i=0;while [ 1 ]; do logger "annoy. $i";i=`expr 1 + $i`;done
And enjoy your logs:
Dec 17 19:08:44 copacabana dcid: annoying... 1
Dec 17 19:08:45 copacabana dcid: annoying... 2
Dec 17 19:08:46 copacabana dcid: annoying... 3
Dec 17 19:08:47 copacabana dcid: annoying... 4