Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
Last Message repeated N times
stephen.carville at gmail
Dec 7, 2007, 2:09 PM
Post #1 of 5 (2202 views)
Permalink
I am using rsyslog 1.19.10 on a central server to collect messages and
store them in a mysql database. One thing I've noticed is that the
"last message repeated NNN times" entries are alway entered with
FromHost="last", SysLogTag="message", and Message="repeated NNN
times". Can this be fixed?

I still use the regular sysklogd package on the remote machines to
forward the messages.

--
Stephen Carville
Last Message repeated N times [ In reply to ]
rgerhards at hq
Dec 11, 2007, 4:01 AM
Post #2 of 5 (2156 views)
Permalink
Hi Stephen,

I was totally swamped the past days, sorry for the missing response.
I'll check what causes this. As a side-note, I think that the message
reduction code does not work well with the database - as you can no
longer query the individual messages. Is this your intent?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> Sent: Friday, December 07, 2007 10:09 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Last Message repeated N times
>
> I am using rsyslog 1.19.10 on a central server to collect messages and
> store them in a mysql database. One thing I've noticed is that the
> "last message repeated NNN times" entries are alway entered with
> FromHost="last", SysLogTag="message", and Message="repeated NNN
> times". Can this be fixed?
>
> I still use the regular sysklogd package on the remote machines to
> forward the messages.
>
> --
> Stephen Carville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
Last Message repeated N times [ In reply to ]
rgerhards at hq
Dec 11, 2007, 4:26 AM
Post #3 of 5 (2163 views)
Permalink
I think I misunderstood your problem... The "last message repeated n
times" stems back from the reporting sysklogd's - right? Mhhh... that's
a problem. I need to do some hardcoded processing in the parser to cover
part of it. The problem is that sysklogd emits a totally non-standard
message in that case. Even worse, I think it does not even contain a
clue at the missing information. I could probably use the sender's IP
address as source in that case, but the tag seems to be impossible to
obtain.

Can you post me a copy of the %rawmsg% property, so that I can have a
look at what exactly you are seing?

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Tuesday, December 11, 2007 12:01 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Last Message repeated N times
>
> Hi Stephen,
>
> I was totally swamped the past days, sorry for the missing response.
> I'll check what causes this. As a side-note, I think that the message
> reduction code does not work well with the database - as you can no
> longer query the individual messages. Is this your intent?
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> > Sent: Friday, December 07, 2007 10:09 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: [rsyslog] Last Message repeated N times
> >
> > I am using rsyslog 1.19.10 on a central server to collect messages
> and
> > store them in a mysql database. One thing I've noticed is that the
> > "last message repeated NNN times" entries are alway entered with
> > FromHost="last", SysLogTag="message", and Message="repeated NNN
> > times". Can this be fixed?
> >
> > I still use the regular sysklogd package on the remote machines to
> > forward the messages.
> >
> > --
> > Stephen Carville
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
Last Message repeated N times [ In reply to ]
stephen.carville at gmail
Dec 12, 2007, 10:38 AM
Post #4 of 5 (2162 views)
Permalink
On Dec 11, 2007 3:01 AM, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> Hi Stephen,
>
> I was totally swamped the past days, sorry for the missing response.
> I'll check what causes this. As a side-note, I think that the message
> reduction code does not work well with the database - as you can no
> longer query the individual messages. Is this your intent?

My original intent was to have a centralized copy of all the changes
that cfengine makes. That works extremely well and saves me a
buttload of time over having to log by hand in a shared Excel
spreadsheet every time I update a hosts file or tweak httpd.conf or
tomcat's server.xml. That and logging the messages from auditd were
the main goals. I added /var/log/messages and /var/log/secure mainly
because I could and because it gives the Linux side of the shop
greater credibility with the SOX (expletive deleted). Now that
messages and secure are in the database I'll have to run a log
analyzer periodically looking for indications of "stuff" that's not
right but that comes after about six other projects.

This isn't a show stopper and I could probably just drop the "last
messages repeated.." entries without any harm. Tho I;m not sure how
jsut yet. Out of 2.4M rows about 385K are of this type.

> Rainer
>
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> > Sent: Friday, December 07, 2007 10:09 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: [rsyslog] Last Message repeated N times
> >
> > I am using rsyslog 1.19.10 on a central server to collect messages and
> > store them in a mysql database. One thing I've noticed is that the
> > "last message repeated NNN times" entries are alway entered with
> > FromHost="last", SysLogTag="message", and Message="repeated NNN
> > times". Can this be fixed?
> >
> > I still use the regular sysklogd package on the remote machines to
> > forward the messages.
> >
> > --
> > Stephen Carville
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

--
Stephen Carville
Last Message repeated N times [ In reply to ]
stephen.carville at gmail
Dec 12, 2007, 11:02 AM
Post #5 of 5 (2162 views)
Permalink
On Dec 11, 2007 3:26 AM, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> I think I misunderstood your problem... The "last message repeated n
> times" stems back from the reporting sysklogd's - right?

Would ugrading to rsyslogd on the client machines help? I'm getting
ready for an upgrade cycle where everything except a couple of boxes
running old hardware not suppoert by the 2.6 kernel will be either
Oracle ULN 4.X or Redhat/CentOS 5.X I didn't see a spec file in the
tar.gz but I can write one myself if there is no good one available.

> Mhhh... that's
> a problem. I need to do some hardcoded processing in the parser to cover
> part of it. The problem is that sysklogd emits a totally non-standard
> message in that case. Even worse, I think it does not even contain a
> clue at the missing information. I could probably use the sender's IP
> address as source in that case, but the tag seems to be impossible to
> obtain.
>
> Can you post me a copy of the %rawmsg% property, so that I can have a
> look at what exactly you are seing?
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
>
> > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > Sent: Tuesday, December 11, 2007 12:01 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] Last Message repeated N times
> >
> > Hi Stephen,
> >
> > I was totally swamped the past days, sorry for the missing response.
> > I'll check what causes this. As a side-note, I think that the message
> > reduction code does not work well with the database - as you can no
> > longer query the individual messages. Is this your intent?
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> > > Sent: Friday, December 07, 2007 10:09 PM
> > > To: rsyslog at lists.adiscon.com
> > > Subject: [rsyslog] Last Message repeated N times
> > >
> > > I am using rsyslog 1.19.10 on a central server to collect messages
> > and
> > > store them in a mysql database. One thing I've noticed is that the
> > > "last message repeated NNN times" entries are alway entered with
> > > FromHost="last", SysLogTag="message", and Message="repeated NNN
> > > times". Can this be fixed?
> > >
> > > I still use the regular sysklogd package on the remote machines to
> > > forward the messages.
> > >
> > > --
> > > Stephen Carville
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>



--
Stephen Carville

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal