Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Annoyed by syslog-ng "STATS: dropped 0" messages
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
t011
Tux's lil' helper
Tux's lil' helper


Joined: 05 Sep 2002
Posts: 102

PostPosted: Wed Jun 30, 2004 10:22 pm    Post subject: Annoyed by syslog-ng "STATS: dropped 0" messages Reply with quote

I think there's an art to logging system messages. An art, that for the most part, I know nothing about. But on those rare occasions when I do peruse my log files and try to understand them. I get annoyed by overly verbose logging of nothing. What I mean by that is reams and reams of the same log entries basically saying nothing happened. Two prime examples:

1) cron's rediculous logging of this message every minute to /var/log/messages
Code:
Jun 30 14:24:00 zen CRON[27520]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Jun 30 14:25:00 zen CRON[27810]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

That annoyance has been discussed in many threads on the forums. I forget how I fixed it. I think with a filter in syslog-ng. But, that brings me to my second annoying log message.
Code:
Jun 30 14:24:00 zen syslog-ng[6560]: STATS: dropped 0
Jun 30 14:34:00 zen syslog-ng[6560]: STATS: dropped 0
Jun 30 14:44:00 zen syslog-ng[6560]: STATS: dropped 0
Jun 30 14:54:00 zen syslog-ng[6560]: STATS: dropped 0
Jun 30 15:04:00 zen syslog-ng[6560]: STATS: dropped 0

I saw that /var/log/messages was now filling, albeit much slower, with this long string of "everything's OK" messages. I searched around and found 1 message on the syslog-ng mailing list about how to disable this logging. Apparently this message just tells you that syslog-ng hasn't dropped any /dev/log packets. The solution is to add the stats_freq(0) option to /etc/syslog-ng/syslog-ng.conf like so:
Code:
options { long_hostnames(off); sync(0); stats_freq(0); };
The mailing list thread I found is here.
Back to top
View user's profile Send private message
spudicus
Apprentice
Apprentice


Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia

PostPosted: Thu Jul 01, 2004 2:27 am    Post subject: Reply with quote

Thanks :D You've helped make my logs just that little bit easier to read! I learn at least one thing new everyday on the Gentoo forums! :D

In regards to the cron job running every minute, there's a post here:
https://forums.gentoo.org/viewtopic.php?t=111764

I don't know if that was the post you were refering to but it does offer one solution.
Back to top
View user's profile Send private message
bravecobra
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 130
Location: Planet Earth (sometimes)

PostPosted: Wed Jul 07, 2004 7:58 am    Post subject: Reply with quote

I'm getting a syntax error when adding that option.
Code:
# /etc/init.d/syslog-ng restart
 * WARNING:  you are stopping a boot service.
 * Stopping dcron...                                                                                                                                 [ok]
 * Stopping syslog-ng...                                                                                                                             [ok]
 * Starting syslog-ng...
syntax error at 9
Parse error reading configuration file, exiting. (line 9)
 * Failed to start syslog-ng                                                                                                                         [!!]

_________________
Brave Cobra
http://www.bravecobra.com
Back to top
View user's profile Send private message
spudicus
Apprentice
Apprentice


Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia

PostPosted: Wed Jul 07, 2004 9:51 am    Post subject: Reply with quote

In the end it didn't work for me either. I think the command is deprecated as of version 1.5.18

However, I came up with two alternatives, which achieve the same or similar result by adding some entries to syslog-ng

The safe way:
Code:
source src { unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: "));
 };
source int { internal(); };
destination int { file("/var/log/internal.log"); };
log { source(int); destination(int); };


This way moves the internal() syslog-ng stream to it's own source and logs it too a seperate file. The redundancy is still there but out of site.

The slightly less safe way:
Code:
source src { unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: "));
 };
source int { internal(); };
destination int { file("/var/log/internal.log"); };
filter crap { not match("]: STATS: dropped 0$"); };
log { source(int); filter(crap); destination(int); };


This also logs to a seperate file but removes the STATS redundancy. I only state that it's slightly less safe due to the remote possibility of matching against something you do want and dropping it.

If you don't want to log to a seperate file, you need to filter the syslog and message files, and leave internal() where it is. This should just involve altering the relevant filtering entries i.e.
Code:
filter f_syslog { not facility(auth, authpriv);
    and not match("]: STATS: dropped 0$");
};

filter f_messages { level(info .. warn)
    and not facility(auth, authpriv, cron, daemon, mail, news);
    and not match("]: STATS: dropped 0$");
};
Again there is a slight chance that you'll filter out something you need. If this is a concern you can log the redundant stuff to it's own file, just in case.

Edit: the following may be a better way of doing the last set of syslog-ng entries:
Code:
filter crap { not match("]: STATS: dropped 0$"); };
log { source(src); filter(f_syslog); filter(crap); destination(syslog); };
log { source(src); filter(f_messages); fiter(crap); destination(messages); };
This way you define the filter once and then apply it to both the syslog and message log line.

So this gives you four choices to filter out the redundant STATS line.
Back to top
View user's profile Send private message
bravecobra
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 130
Location: Planet Earth (sometimes)

PostPosted: Fri Jul 09, 2004 1:36 am    Post subject: Reply with quote

Cool tnx. I'll surely try them.
_________________
Brave Cobra
http://www.bravecobra.com
Back to top
View user's profile Send private message
RaaR
Tux's lil' helper
Tux's lil' helper


Joined: 24 Jul 2003
Posts: 125

PostPosted: Tue Jul 13, 2004 8:36 pm    Post subject: Reply with quote

bravecobra wrote:
I'm getting a syntax error when adding that option.
Code:
# /etc/init.d/syslog-ng restart
 * WARNING:  you are stopping a boot service.
 * Stopping dcron...                                                                                                                                 [ok]
 * Stopping syslog-ng...                                                                                                                             [ok]
 * Starting syslog-ng...
syntax error at 9
Parse error reading configuration file, exiting. (line 9)
 * Failed to start syslog-ng                                                                                                                         [!!]


Where it says stats_freq, change it to just stats. That should fix it.
Back to top
View user's profile Send private message
Tuinslak
Tux's lil' helper
Tux's lil' helper


Joined: 26 Nov 2003
Posts: 129
Location: Belgium

PostPosted: Thu Sep 15, 2005 9:38 pm    Post subject: Reply with quote

I used the Gentoo security howto, and the example syslog-ng config. And I started to receive such messages in my inbox every hour.

RaaR wrote:
bravecobra wrote:
I'm getting a syntax error when adding that option.
Code:
# /etc/init.d/syslog-ng restart
 * WARNING:  you are stopping a boot service.
 * Stopping dcron...                                                                                                                                 [ok]
 * Stopping syslog-ng...                                                                                                                             [ok]
 * Starting syslog-ng...
syntax error at 9
Parse error reading configuration file, exiting. (line 9)
 * Failed to start syslog-ng                                                                                                                         [!!]


Where it says stats_freq, change it to just stats. That should fix it.


Yes, this worked. Thanks. :p

Code:
options { long_hostnames(off); sync(0); stats(0); };

_________________
Tuinslak
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum