SUMMARY: How do I disable syslog message summarization?

From: Mike van der Velden <mvanderv_at_redback.com> Date: Fri Aug 09 2002 - 19:11:44 EDT · This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:51 EST

Thank you to the following people, in order of appearance, for taking time out
of their busy day to respond:

    Justin Stringfellow
    Nick Boyce
    Dan A 
    John Douglass
    John Sottile
    Nick Hindley 

and Sebastian Boeker for being first across the line with the OOTO reminder.

Looks like syslog-ng will do what we want, ie. not summarize duplicate log
messages.  Syslog-ng can be found at 

    http://www.balabit.hu/en/downloads/syslog-ng

msyslogd was also mentioned as a possible solution, with greater capabilites
(not clear if those capabilities are greater than syslog-ng, or just the stock
syslogd).  No reference was given for where to find msyslogd, but I suppose
google will be helpful for that.

One person suggested getting the BSD sources and hacking out the bits I didn't
want. I'm not sure if that would work, though, as BSD uses a different
mechanism for communicating with clients, so IMHO replacing the Solaris
syslogd with the BSD version would not work.  According to syslog-ng:

PLATFORM               METHOD
Linux                  A SOCK_STREAM unix socket named /dev/log
BSD flavors            A SOCK_DGRAM unix socket named /var/run/log
Solaris (2.5 or below) An SVR4 style STREAMS device named /dev/log
Solaris (2.6 or above) In addition to the STREAMS device used in 
                       versions below 2.6, uses a new multithreaded
                       IPC method called door. By default the door 
                       used by syslogd is /etc/.syslog_door 

The solution I used was to rewrite the script that the client had written, and
used gnu grep and awk to better parse the syslog output file and provide
accurate counts per minute of the error messages in question.

Thanks for all your help!

-- 
Mike van der Velden                        email  mvanderv@redback.com
System Administrator                       voice  604-629-7281
Redback Networks Canada, Inc.              pager  604-868-1562
200 - 4190 Still Creek Drive               fax    604-294-8830
Burnaby, BC.  Canada

The idea that Bill Gates has appeared like a knight in shining armour to lead
all customers out of a mire of technological chaos neatly ignores the fact
that it was he who, by peddling second-rate technology, led them into it in
the first place.
    -- Douglas Adams

-------- Original Message --------
Subject: How do I disable syslog message summarization?
Date: Thu, 08 Aug 2002 12:15:03 -0700
From: Mike van der Velden <mvanderv@redback.com>
Organization: Redback Networks Canada, Inc.
To: Sun Managers Mailing List <sun-managers@sunmanagers.org>

I know that this is generally a Good Thing(tm) that the messages are
summarized.  It'd be nice if for one facility (or even all of syslog) I could
disable this summarization.  Anyone know how?

Alternatively, should I grab a syslogd.c from Linux or NetBSD and hack it to
do what I want?   Or is there some other third party software that I can use
in place of, or in addition to, syslog?  (no, we don't use Tivoli)

Other suggestions that have been considered but won't work:

1. use the mark facility of syslog to write a timestamp every minute.
   => we can't, because the messages arrive more frequently than that.

2. make the generated messages unique in some way
   => we can't because we don't control the message source.

Why do we want to do this, you ask?  

There is a (3rd party, not Solaris, not our own) process we are monitoring
that send out some cryptic (to me, anyway) error messages.  When they happen
once in a while, no problem.  When they occur more frequently, say once per
second, we need to send an alert.  So, a script has been written to monitor
the log file, but it gets defeated by the syslog summarization.

Yes, I think a more sophisticated perl script could probably handle the log
file parsing.

Hmmm... perhaps syslog could pass these messages along to another process that
will parse the messages as they come in.   Anyone written a script like that?

FYI, the system running syslogd is Solaris 8.  Here are some of the sample
error messages:

Aug  8 13:35:11 ARTNVAARSMSR13 13:37:56 8Aug2002: %L2TP-3-BADSCCRP: DNOC:1:
received bad sccrp in state WAIT CTL REPLY
Aug  8 13:35:11 ARTNVAARSMSR13 13:38:13 8Aug200last message repeated 20 times
Aug  8 13:35:32 ARTNVAARSMSR8 12:32:38 8Aug2001: %L2TP-3-MAX_REXMTS:
vr1dca3:1: Exceeded max retransmit count on packet 0
Aug  8 13:35:32 ARTNVAARSMSR13 13:38:14 8Aug2002: %L2TP-3-BADSCCRP: DNOC:1:
received bad sccrp in state WAIT CTL REPLY
Aug  8 13:35:32 ARTNVAARSMSR13 13:38:28 8Aug200last message repeated 14 times

yes, I see the odd date stamps as well (Aug 200 and Aug 2001), which is
another issue that needs to be dealt with.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers