Syslog - Last message repeated X times (rant)

I don’t complain often, but there is one thing that drives me mad every time I see it.

That's the unfamous "last message repeated X times" on Syslog.

Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”…

They are all wrong :) It is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so.

A few reasons why:

  1. No log analysis tool will handle this correctly. Specially if we are talking about remote syslog.
  2. It buffers your logs so they are not in real time anymore.
  3. It doesn’t protect you against denial of service attacks (keep reading…)
  4. The last message can be this annoying “last message repeated” log. Not joking.

To prove my point, this simple command (logger) on your Linux/Unix server: (it will generate a simple log every second):

$ while [ 1 ]; do logger "annoying test log..."; sleep 1; done

Wait a few minutes and check your log:

Dec 17 19:44:08 enigma dcid: annoying test log...
Dec 17 19:44:39 enigma last message repeated 31 times
Dec 17 19:46:40 enigma last message repeated 115 times
Dec 17 19:56:41 enigma last message repeated 589 times

The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more).

Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time.

Not very good for “real time” analysis (and down it goes on some compliance requirements).

As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:

$ i=0;while [ 1 ]; do logger "annoy. $i";i=`expr 1 + $i`;done

Dec 17 19:08:44 copacabana dcid: annoying... 1
Dec 17 19:08:45 copacabana dcid: annoying... 2
Dec 17 19:08:46 copacabana dcid: annoying... 3
Dec 17 19:08:47 copacabana dcid: annoying... 4

And enjoy your logs.

Posted in   syslog     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.