Reducing Excessive Event Logging
Event logging (evlogd) is a shared medium that captures event messages sent by StarOS facilities. When one or more facilities continuously and overwhelmingly keep sending a high volume of event messages, the remaining non-offender facilities are impacted. This scenario degrades system performance, especially as the number of facilities generating logs increases.
Rate-control of event message logging is handled in the Log Source path. Essentially, every second a counter is set to zero and is incremented for each log event that is sent to evlogd. If the count reaches a threshold before the second is up, the event is sent, queued, or dropped (if the evlogd messenger queue is full).
When any facility exceeds the upper threshold set with this command for the rate of message logging and remains in the same state for prolonged interval, StarOS notifies the user through an SNMP trap or alarm.
A new threshold command allows you to specify the percentage of facility event queue full. When this threshold is exceeded, an SNMP trap and alarm are generated that specifies the offending facility.
The formats for the SNMP traps that are associated with this command are as follows:
-
ThreshLSLogsVolume
<timestamp> Internal trap notification <trap_id> (ThreshLSLogsVolume) threshold <upper_percent>% measured value <actual_percent>% for facility <facility_name> instance <instance_id>
-
ThreshClearLSLogsVolume
<timestamp> Internal trap notification <trap_id> (ThreshClearLSLogsVolume) threshold <upper_percent>% measured value <actual_percent>% for facility <facility_name> instance <instance_id>
If a trigger condition occurs within the polling interval, the alert or alarm is not generated until the end of the polling interval.
Both traps can be enabled or suppressed through the Global Configuration mode snmp trap command.