I don’t complain often, but there is one thing that drives me mad every time I see it.
That's the unfamous "last message repeated X times" on Syslog.
Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”…
They are all wrong :) It is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so.
A few reasons why:
To prove my point, this simple command (logger) on your Linux/Unix server: (it will generate a simple log every second):
$ while [ 1 ]; do logger "annoying test log..."; sleep 1; done
Wait a few minutes and check your log:
Dec 17 19:44:08 enigma dcid: annoying test log...
Dec 17 19:44:39 enigma last message repeated 31 times
Dec 17 19:46:40 enigma last message repeated 115 times
Dec 17 19:56:41 enigma last message repeated 589 times
The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more).
Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time.
Not very good for “real time” analysis (and down it goes on some compliance requirements).
As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:
$ i=0;while [ 1 ]; do logger "annoy. $i";i=`expr 1 + $i`;done
Dec 17 19:08:44 copacabana dcid: annoying... 1
Dec 17 19:08:45 copacabana dcid: annoying... 2
Dec 17 19:08:46 copacabana dcid: annoying... 3
Dec 17 19:08:47 copacabana dcid: annoying... 4
And enjoy your logs.