[logs] Is "last message repeated n times" anything good?

Rainer Gerhards rgerhards at hq.adiscon.com
Tue Mar 18 10:26:26 PDT 2008 

Hi Daniel,

I already read your rant and it was one of the reasons I asked the question. Please let me add that for an immediate cure, you can specify the -e command line option with rsyslog, which will disable the logic *today* - it just keeps the complexity in code.

On the denial of service attacks. I got one good point from another mailing list:

> > I think to prevent DOS attacks is a valid argument but as you said can
> > be easily circumvented by randomizing messages.
> I'm afraid it's not true in all cases. What if you do DOS attach not directly 
> to do rsyslog, but via other daemon. In situation when you can't send message 
> directly to syslog, but you can make some daemon generate message for you. 
> This message would be probably always the same content.

There seems to be some truth in that...

Rainer

> -----Original Message-----
> From: Daniel Cid [mailto:dcid at ossec.net]
> Sent: Tuesday, March 18, 2008 6:18 PM
> To: Andreux Fort (あんどりゅー)
> Cc: Rainer Gerhards; loganalysis at loganalysis.org
> Subject: Re: [logs] Is "last message repeated n times" anything good?
> 
> Hi Rainer,
> 
> Please disable this feature (please again :))... I "ranted" about it a
> while ago in my blog:
> 
> http://www.ossec.net/dcid/?p=119
> 
> Basically my reasons to disable it were:
> 
>    1.  No log analysis tool will handle this correctly. Specially if
> we are talking about remote syslog.
>    2. It buffers your logs so they are not in real time anymore.
>    3. It doesn't protect you against denial of service attacks (keep
> reading…)
>    4. The last message can be this annoying "last message repeated"
> log.
> 
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> 
> On 3/18/08, Andreux Fort (あんどりゅー) <afort at choqolat.org> wrote:
> > On Tue, Mar 18, 2008 at 3:11 AM, Rainer Gerhards
> >  <rgerhards at hq.adiscon.com> wrote:
> >
> >  >  Before I drop the feature, I'd like to receive as broad feedback
> as
> >  >  possible from potential users.
> >  >  Does anybody actually need this feature? If so, why is it good?
> >  >
> >  >  Please provide feedback.
> >  >
> >  >  Thanks,
> >  >  Rainer
> >
> >
> > Personally, I've never wanted this "last message" behavior from my
> >  syslogd's, since it means an additional step in post-processing,
> disk
> >  is cheap(ish), my post-processing finds spammy sources anyhow, and
> >  importantly; it collapses the time-domain for those events,
> something
> >  I dislike.
> >
> >
> >  --
> >  Andreux Fort (afort at choqolat.org)
> >
> > _______________________________________________
> >  LogAnalysis mailing list
> >  LogAnalysis at loganalysis.org
> >  http://www.loganalysis.org/mailman/listinfo/loganalysis
> >

More information about the LogAnalysis mailing list