[rsyslog] Feedback requested "Last message logged n times"...

Rainer Gerhards rgerhards at hq.adiscon.com
Tue Mar 25 10:52:29 CET 2008


Pluging... well, that depends on the use cases. I am trying to identify
the actual use cases, so far I found the one with flooding/attack. The
problem is that the current logic can not be moved to a plugin because
it is right at the most inner workings of the engine. If we can identify
the actual use cases, things will probably be much easier to work with.

For example, I currently think that I can build an optional interface
that enables flood-controlling inputs and reducing messages if some
condition is given there. Note, however, that this is different from
current logic, where the flood control only applies to some outputs,
because the output decides if it can work with the repeated lines.

The bottom line is that I think there are some valid use cases, we just
don't know about them. The current implementation/idea is soooo bad
because we don't know what we really need to do. So identifying the
actual use cases is the priority and then doing a good design that
covers them.

I'll probably follow advise from the loganalysis mailing list and change
the default to not do the "last message..." processing. Then, see who
complains and if nobody does drop the feature.

It would also be extremely useful to know *why* people are unhappy (uses
cases ;)), instead of just knowing they are... Can you shed some light
on that?

Thanks for all your help,
Rainer

> -----Original Message-----
> From: Peter Vrabec [mailto:pvrabec at redhat.com]
> Sent: Tuesday, March 25, 2008 10:47 AM
> To: rsyslog at lists.adiscon.com
> Cc: Rainer Gerhards
> Subject: Re: [rsyslog] Feedback requested "Last message logged n
> times"...
> 
> Hi folks,
> 
> I talked with some people, and nobody is happy with removing this
thing
> from
> rsyslog. Won't be possible to move it to separate plug-in?
> 
> On Monday 24 March 2008 10:25:55 pm Rainer Gerhards wrote:
> > Hi all,
> >
> > I now have a use case where the "last message..." prevents sources
> from
> > flooding syslog. But now on to a different use case: does someone
> > actually use this feature to reduce the size of files or network
> > traffic? Except, of course, in cases where there is a message flood
> due
> > to either attact or a misbehaving source (these need to be treated
> > differentely - I am right now after the *destination* message
> > compression...).
> >
> > Thanks,
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com
> > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Peter
> Vrabec
> > > Sent: Tuesday, March 18, 2008 3:24 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] Feedback requested "Last message
> > > logged n times"...
> > >
> > > On Tuesday 18 March 2008 02:11:15 pm Gerrard Geldenhuis wrote:
> > > > The only arguments for keeping the feature that I got on my
> > >
> > > lug was the
> > >
> > > > preservartion of disk/network IO.
> > > >
> > > > I think to prevent DOS attacks is a valid argument but as
> > >
> > > you said can
> > >
> > > > be easily circumvented by randomizing messages.
> > >
> > > I'm afraid it's not true in all cases. What if you do DOS
> > > attach not directly
> > > to do rsyslog, but via other daemon. In situation when you
> > > can't send message
> > > directly to syslog, but you can make some daemon generate
> > > message for you.
> > > This message would be probably always the same content.
> > >
> > > > To safeguard against dos attacks you could have a monitor
> > >
> > > that monitors
> > >
> > > > for extra ordinary amount of traffic and then generate a snmp
> trap.
> > > > Whether that should be a rsyslog plugin or part of other
software
> is
> > > > open to debate.
> > > >
> > > > Regards
> > > >
> > > > > -----Original Message-----
> > > > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > > > bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> > > > > Sent: 18 March 2008 11:42
> > > > > To: rsyslog-users
> > > > > Subject: Re: [rsyslog] Feedback requested "Last message logged
> n
> > > >
> > > > times"...
> > > >
> > > > > Good discussion, thanks all :) ... some more points below ...
> > > > >
> > > > > > > I have asked the question on a local lug to get some more
> > > >
> > > > opinions.
> > > >
> > > > > I
> > > > >
> > > > > > > will post the results if any here.
> > > > > >
> > > > > > I did the same. :)
> > > > > >
> > > > > > The only arguments against removal I have received
> > >
> > > until now were:
> > > > > > 1. DoS  (but nobody explained how)
> > > > >
> > > > > I think this is along the lines of making it easy to flood the
> log
> > > >
> > > > with
> > > >
> > > > > similar messages. If that's the case, I think it is a (too)
> weak
> > > > > argument because an attacker could easily include a random
> pattern
> > > > > inside the message.
> > > > >
> > > > > HOWEVER, the current logic indeed prevents flooding the
> > >
> > > log from equal
> > >
> > > > > messages, e.g. if a process runs wild.
> > > > >
> > > > > > 2. cleanness of logs (relative)
> > > > > >
> > > > > > I'm thinking about forwarding discussion to fedora-devel :)
> > > > >
> > > > > Excellent.
> > > > >
> > > > > Maybe there are also alternatives to the current
> > >
> > > behavior, something
> > >
> > > > in
> > > >
> > > > > between. Right now, the core engine does this, so the
reduction
> > > > > capability is inherent to every action (except if an action
> > > >
> > > > specifically
> > > >
> > > > > forbids it, because it can not intelligently handle it -
> > >
> > > e.g. database
> > >
> > > > > writers). So it applies to  forwarding, snmp, whatever, ...
One
> > > > > alternative would be to remove it from the core engine and
move
> it
> > > >
> > > > into
> > > >
> > > > > the *file write* output plugin (omfile). This has its
> > >
> > > subtleties, too,
> > >
> > > > > so I don't like to take that approach lightly. Plus, it than
> means
> > > >
> > > > that
> > > >
> > > > > the network may become spammed. I think one core requirement
is
> to
> > > >
> > > > find
> > > >
> > > > > people who actually *intentionally* use this feature and
> > >
> > > ask for their
> > >
> > > > > reasoning. That will probably be the best way to tell us
> > >
> > > if its really
> > >
> > > > > needed. And, of course, we need to weigh the negative
> > >
> > > effects of it
> > >
> > > > > against these con-points.
> > > > >
> > > > > Rainer
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> 




More information about the rsyslog mailing list