Reputation: 35
rsyslog - Turning $RepeatedMsgReduction off completely
Currently, $RepeatedMsgReduction is set to on in my Docker image. This image acts as a base image for several other Docker images.
What would be the impacts of turning this off, especially in a loaded environment? Logs are sent to ElasticSearch so in a loaded environment where there might be high logging, would this turning this off have a significant impact since several Kubernetes use the base image, and therefore would inherit the $RepeatedMsgReduction setting?
Upvotes: 0
Views: 77
Answers (1)
Reputation: 717
Turning $RepeatedMsgReduction off (default setting) ensures every log message is written, even if identical messages are repeated. This may increase log volume in high-traffic environments. However, enabling this feature ($RepeatedMsgReduction on) to suppress repeated logs is not recommended in modern environments. As noted on the rsyslog documentation, it is considered outdated because modern log analysis tools rely on seeing each individual log event and cannot handle the “Last line repeated n times” log event, which was more suitable for manual log reviews in the past.
This directive models old sysklogd legacy. Note that many people, including the rsyslog authors, consider this to be a misfeature.
Upvotes: 0
Related Questions
- rsyslog not creating log file
- Logstash cannot connect to Elasticsearch when using Docker
- Program in docker logging with syslog does not generate log files
- Elasticsearch 6.3.0 on Kubernetes
- Rsyslog parsing issue - no header in syslog message that is sent to Rsyslog
- Elasticsearch on Kubernetes - best practice
- Mysterious Filebeat 7 X-Pack issue using Docker image
- Java app in Docker container does not log to syslog properly