Last message repeated X times (rant)

I don’t know about you, but I really hate this “last message repeated X times” on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”… For me, it is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so. A few reasons why:

  1. No log analysis tool will handle this correctly. Specially if we are talking about remote syslog.
  2. It buffers your logs so they are not in real time anymore.
  3. It doesn’t protect you against denial of service attacks (keep reading…)
  4. The last message can be this annoying “last message repeated” log.

To prove my point, this simple command on your Linux/Unix server: (it will generate a simple log every second)

$ while [ 1 ]; do logger "annoying..."; sleep 1; done

Wait a few minutes and check your log:

Dec 17 19:44:08 enigma dcid: annoying...
Dec 17 19:44:39 enigma last message repeated 31 times
Dec 17 19:46:40 enigma last message repeated 115 times
Dec 17 19:56:41 enigma last message repeated 589 times

The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more). Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time. Not very good for “real time” analysis (and down it goes on some compliance requirements).

As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:

$ i=0;while [ 1 ]; do logger "annoy. $i";i=`expr 1 + $i`;done

And enjoy your logs:

Dec 17 19:08:44 copacabana dcid: annoying... 1
Dec 17 19:08:45 copacabana dcid: annoying... 2
Dec 17 19:08:46 copacabana dcid: annoying... 3
Dec 17 19:08:47 copacabana dcid: annoying... 4

This entry was posted in log analysis. Bookmark the permalink.

2 Responses to Last message repeated X times (rant)

  1. New comment to old post, but it is still relevant. I am the author of rsyslog, an enhanced replacement syslogd. I, too, don’t like the “last message repeated…” feature and have begun to remove it from rsyslog. However, user feedback indicates a lot of people like it. Unfortunately, most do not express themselves in public, but the comment in this thread speaks for most of them:

    http://kb.monitorware.com/last-message-repeated-feature-will-go-away-t1720.html

    Rainer

  2. David Lee says:

    Hi,
    I know this is an old post. *Reviving*
    I’d like the ability to turn it off. We have thousands of servers, and chief amongst them, this feature is a blessing. However, I need radius to log every login, and especially when there’s multiple. (script for counting and ‘reporting’, and of course, general debugging.) We have some centralised syslog servers, and many many localised radius servers. I’m not arguing that this feature should be removed, but to be able to turn it off would be nice.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>