Syslog line length statistic

Time for some useless statistics… Because I had to set some initial buffer sizes in syslogd I took a closer look at my log files. I used all logs from last month and counted the line lengths for every message to get an impression of real-life requirements on message/line lenghts.

Complete plot of line lengths

Complete plot: occurance count by line length

Detail (len250) from plot

Detail: occurance count for line lengths ≤ 250

As every real data set the selection is somewhat skewed. It includes Apache httpd access logs but no httpd error logs. The Windows logs are collected from NTSyslog but are non-representative because they include many WPKG debug messages. I also use ISO instead of BSD timestamps, so every line is 14 chars longer than with traditional syslogd; the timestamp, the hostname and a programname/tag use around 50 chars which is the minimum lenght here. The most notable artifact are the many long (>800 chars) messages. — These are syslog-ng log statistics from the logserver itself (used for monitoring).

Comments are closed.