[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora 6 Advice



Hi Mike,

Wow -- that is cool!! I have not heard of that parameter before. I
think I could probably use that -- if I set the rate limit high
enough, perhaps it would prevent syslog from suppressing duplicate
messages. The problem though is that I am guessing this only applies
to messages coming from the kernel; other processes which talk to
syslog directly will probably still trigger suppression I'm guessing.
For example, several repeated failure messages from sshd will generate
this message:

"last message repeated"

This is basically the situation:

http://www.syslog.org/PNphpBB2-viewtopic-t62-.phtml

I have never been able to find the official RedHat solution to the
problem, short of rebuilding a custom syslog

katsu

On 1/30/07, Mike Kearey <mkearey redhat com> wrote:
katsumi liquer wrote:
> One issue I have had with RHEL 4.x is closely related with VMware
> ...<snipped>
>
> A second feature which I don't like about RHEL is that the syslog
> daemon is permanently configured for event suppression -- meaning that
> if a certain event repeats a certain number of times, syslog will
> print out a message like: 'message repeated' -- and you can't disable
> this behavior. it is all fine and good, except when you are trying to
> get very accurate statistics from your syslog daemon, say for an IDS.
> I talked to RH tech support about this, and they said that suppression
> is there to protect your log file size, and that you can't disable it.
>

I recall that there is a kernel printk imposed the rate limit - I did
not think klogd or syslogd imposed any rate limit. It is configurable,
check with sysctl command :

# sysctl -a |grep printk_ratelimit
kernel.printk_ratelimit_burst = 10
kernel.printk_ratelimit = 5




 From the file
/usr/share/doc/kernel-doc-2.6.9/Documentation/sysctl/kernel.txt in the
kernel-doc rpm:

printk_ratelimit:

Some warning messages are rate limited. printk_ratelimit specifies
the minimum length of time between these messages (in jiffies), by
default we allow one every 5 seconds.

A value of 0 will disable rate limiting.

==============================================================

printk_ratelimit_burst:

While long term we enforce one message per printk_ratelimit
seconds, we do allow a burst of messages to pass through.
printk_ratelimit_burst specifies the number of messages we can
send before ratelimiting kicks in.

==============================================================



Cheers
Michael

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]