[logs] Is "last message repeated n times" anything good?
Daniel Cid
dcid at ossec.net
Tue Mar 18 10:18:19 PDT 2008
Hi Rainer,
Please disable this feature (please again :))... I "ranted" about it a
while ago in my blog:
http://www.ossec.net/dcid/?p=119
Basically my reasons to disable it were:
1. No log analysis tool will handle this correctly. Specially if
we are talking about remote syslog.
2. It buffers your logs so they are not in real time anymore.
3. It doesn't protect you against denial of service attacks (keep reading…)
4. The last message can be this annoying "last message repeated" log.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 3/18/08, Andreux Fort (あんどりゅー) <afort at choqolat.org> wrote:
> On Tue, Mar 18, 2008 at 3:11 AM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
>
> > Before I drop the feature, I'd like to receive as broad feedback as
> > possible from potential users.
> > Does anybody actually need this feature? If so, why is it good?
> >
> > Please provide feedback.
> >
> > Thanks,
> > Rainer
>
>
> Personally, I've never wanted this "last message" behavior from my
> syslogd's, since it means an additional step in post-processing, disk
> is cheap(ish), my post-processing finds spammy sources anyhow, and
> importantly; it collapses the time-domain for those events, something
> I dislike.
>
>
> --
> Andreux Fort (afort at choqolat.org)
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
More information about the LogAnalysis
mailing list