Hi Mike, Wow -- that is cool!! I have not heard of that parameter before. I think I could probably use that -- if I set the rate limit high enough, perhaps it would prevent syslog from suppressing duplicate messages. The problem though is that I am guessing this only applies to messages coming from the kernel; other processes which talk to syslog directly will probably still trigger suppression I'm guessing. For example, several repeated failure messages from sshd will generate this message: "last message repeated" This is basically the situation: http://www.syslog.org/PNphpBB2-viewtopic-t62-.phtml I have never been able to find the official RedHat solution to the problem, short of rebuilding a custom syslog katsu On 1/30/07, Mike Kearey <mkearey@xxxxxxxxxx> wrote:
katsumi liquer wrote: > One issue I have had with RHEL 4.x is closely related with VMware > ...<snipped> > > A second feature which I don't like about RHEL is that the syslog > daemon is permanently configured for event suppression -- meaning that > if a certain event repeats a certain number of times, syslog will > print out a message like: 'message repeated' -- and you can't disable > this behavior. it is all fine and good, except when you are trying to > get very accurate statistics from your syslog daemon, say for an IDS. > I talked to RH tech support about this, and they said that suppression > is there to protect your log file size, and that you can't disable it. > I recall that there is a kernel printk imposed the rate limit - I did not think klogd or syslogd imposed any rate limit. It is configurable, check with sysctl command : # sysctl -a |grep printk_ratelimit kernel.printk_ratelimit_burst = 10 kernel.printk_ratelimit = 5 From the file /usr/share/doc/kernel-doc-2.6.9/Documentation/sysctl/kernel.txt in the kernel-doc rpm: printk_ratelimit: Some warning messages are rate limited. printk_ratelimit specifies the minimum length of time between these messages (in jiffies), by default we allow one every 5 seconds. A value of 0 will disable rate limiting. ============================================================== printk_ratelimit_burst: While long term we enforce one message per printk_ratelimit seconds, we do allow a burst of messages to pass through. printk_ratelimit_burst specifies the number of messages we can send before ratelimiting kicks in. ============================================================== Cheers Michael -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
