{"id":206,"date":"2007-12-18T22:23:00","date_gmt":"2007-12-18T22:23:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=206"},"modified":"2020-07-02T22:23:36","modified_gmt":"2020-07-02T22:23:36","slug":"last-message-repeated-x-times-rant","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/12\/last-message-repeated-x-times-rant\/","title":{"rendered":"Last message repeated X times (rant)"},"content":{"rendered":"\n<p>I don\u2019t know about you, but I really hate this \u201c<em>last message repeated X times<\/em>\u201d on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files \u201cclean\u201d\u2026 For me, it is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so. A few reasons why:<\/p>\n\n\n\n<ol><li>No log analysis tool will handle this correctly. Specially if we are talking about remote syslog.<\/li><li>It buffers your logs so they are not in real time anymore.<\/li><li>It doesn\u2019t protect you against denial of service attacks (keep reading\u2026)<\/li><li>The last message can be this annoying \u201clast message repeated\u201d log.<\/li><\/ol>\n\n\n\n<p>To prove my point, this simple command on your Linux\/Unix server: (it will generate a simple log every second)<br><code><br>$ while [ 1 ]; do logger \"annoying...\"; sleep 1; done<\/code><\/p>\n\n\n\n<p>Wait a few minutes and check your log:<br><code><br>Dec 17 19:44:08 enigma dcid: annoying...<br>Dec 17 19:44:39 enigma last message repeated 31 times<br>Dec 17 19:46:40 enigma last message repeated 115 times<br>Dec 17 19:56:41 enigma last message repeated 589 times<\/code><\/p>\n\n\n\n<p>The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more). Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time. Not very good for \u201creal time\u201d analysis (and down it goes on some compliance requirements).<\/p>\n\n\n\n<p>As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:<br><code><br>$ i=0;while [ 1 ]; do logger \"annoy. $i\";i=`expr 1 + $i`;done<\/code><\/p>\n\n\n\n<p>And enjoy your logs:<br><code><br>Dec 17 19:08:44 copacabana dcid: annoying... 1<br>Dec 17 19:08:45 copacabana dcid: annoying... 2<br>Dec 17 19:08:46 copacabana dcid: annoying... 3<br>Dec 17 19:08:47 copacabana dcid: annoying... 4<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I don\u2019t know about you, but I really hate this \u201clast message repeated X times\u201d on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files \u201cclean\u201d\u2026 For me, it is completely useless. If you syslog daemon supports disabling this feature (-c [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/206"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"predecessor-version":[{"id":207,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/206\/revisions\/207"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}