Find the answer to your Linux question:
Results 1 to 5 of 5
I am having an issue where all the logs for my server are written twice consecutively in /var/log/messages. Because the application running on this server requires a lot of disk ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3

    Duplicate logs in /var/log/messages


    I am having an issue where all the logs for my server are written twice consecutively in /var/log/messages. Because the application running on this server requires a lot of disk I/O having duplicate entries written to disk is causing a lot of events to be dropped due to the unnecessary load. I have increased the queue depth and increased the priority_boost, which has reduce the number of dropped events from about 20k/hour to less than 700/hour, but stopping the duplicate entries would solve the problem altogether.

    I have read about suppressing duplicate messages, but that solution appears to only apply to messages I define. Since ALL messages are written twice this would not work for me.

    Any help would be appreciated.

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,221
    Hi and welcome

    can you please tell the OS and OS version, as well as the syslog daemon implementation (syslog, syslog-ng, rsyslog) you are using?

    From the top of my head, maybe there is an overlapping config.
    ie: The facility and priority your application is using is picked up by two config lines with the same logfile as target.
    A snippet of the relevant config file(s) would help.

    Other than that:
    If your app requires a lot of IO and logging is high enough to influence it, then it makes sense to decouple app and logging by using different spindles/raids.
    You must always face the curtain with a bow.

  3. #3
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3
    I am running Redhat 5.9 and I am running the syslog implementation.

    I just had my SA send me the syslog.conf file and here it is without comments.

    Code:
    *.info;mail.none;authpriv.none;cron.none	/var/log/messages
    
    authpriv.*  			/var/log/secure
    
    mail.*       			-/var/log/maillog
    
    cron.*      			/var/log/cron
    
    *.emerg    			*
    
    uucp,news.crit			/var/log/spooler
    
    local7.*			/var/log/boot.log
    
    auth,user.*			/var/log/messages
    
    auth.user.*;auth,user.!=debug	@loghost
    
    kern.*;kern.!=debug		@loghost
    
    daemon.*			/var/log/daemon.log
    
    syslog.*			/var/log/syslog
    
    lpr,news,uucp,local10,local1.*	/var/log/unused.log
    
    local2,local3,local4,local5,local6.*	/var/log/unused.log

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,221
    What facility/severity is your application sending to?
    From the config, e.g. user.info might potentially be responsible for the duplicates.

    Which could be easily fixed by introducing and using e.g. local0.* and an app specific logfile /var/log/app.log exclusively for your application.
    You must always face the curtain with a bow.

  5. #5
    Just Joined!
    Join Date
    Feb 2013
    Posts
    3
    Our application does not send anything to syslog. It just generates a lot of disk I/O. If it helps at all, a lot of the duplicates events we see are of type "CRED_DISP," "USER_END," "USER_START," etc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •