[opensuse-factory] [Leap 42.1] Problem with filtering out some excesive syslog messages in rsyslog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I notice a huge ammount of messages from gdm-x-session in /var/log/messages, and I'm trying to filter them out: 2015-10-02T14:04:09.303403+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: The XKEYBOARD keymap compiler (xkbcomp) reports: 2015-10-02T14:04:09.304445+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Warning: Type "ONE_LEVEL" has 1 levels, but <RALT> has 2 symbols 2015-10-02T14:04:09.304943+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Ignoring extra symbols 2015-10-02T14:04:09.305909+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: Errors from xkbcomp are not fatal to the X server 2015-10-02T14:04:09.340418+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: The XKEYBOARD keymap compiler (xkbcomp) reports: 2015-10-02T14:04:09.341218+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Warning: Type "ONE_LEVEL" has 1 levels, but <RALT> has 2 symbols 2015-10-02T14:04:09.341730+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Ignoring extra symbols 2015-10-02T14:04:09.342606+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: Errors from xkbcomp are not fatal to the X server +++--------------------------------- So I write this section in /etc/rsyslog.conf and restart rsyslog: if ($programname contains 'gdm-x-session') and ($syslogseverity <= 4 /* warning */ ) \ then { -/var/log/gdmlog.warn } if ($programname contains 'gdm-x-session') \ then { -/var/log/gdmlog stop } # # Warnings in one file # *.=warning;*.=err -/var/log/warn *.crit /var/log/warn # # the rest in one file # *.*;mail.none;news.none -/var/log/messages - ---------------------------------++- The idea is that entries that come from "gdm-x-session" go to another file, not to "/var/log/warn" nor "/var/log/messages". But they don't, the rule is doing nothing. :-? Similar rules in 13.1 work. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYOdMIACgkQtTMYHG2NR9X2bACfcSVS11Hy+3uAnEW6Hj0izDJc VzYAn3kBMcxQ0cP++aNKLVjYRNBDhMid =5g1n -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op Friday 02 October 2015 14:12:50 schreef Carlos E. R.:
Hi,
I notice a huge ammount of messages from gdm-x-session in /var/log/messages, and I'm trying to filter them out:
2015-10-02T14:04:09.303403+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: The XKEYBOARD keymap compiler (xkbcomp) reports: 2015-10-02T14:04:09.304445+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Warning: Type "ONE_LEVEL" has 1 levels, but <RALT> has 2 symbols 2015-10-02T14:04:09.304943+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Ignoring extra symbols 2015-10-02T14:04:09.305909+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: Errors from xkbcomp are not fatal to the X server 2015-10-02T14:04:09.340418+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: The XKEYBOARD keymap compiler (xkbcomp) reports: 2015-10-02T14:04:09.341218+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Warning: Type "ONE_LEVEL" has 1 levels, but <RALT> has 2 symbols 2015-10-02T14:04:09.341730+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: > Ignoring extra symbols 2015-10-02T14:04:09.342606+02:00 Eleanor-421 /usr/lib/gdm/gdm-x-session[1628]: Errors from xkbcomp are not fatal to the X server
+++--------------------------------- So I write this section in /etc/rsyslog.conf and restart rsyslog:
if ($programname contains 'gdm-x-session') and ($syslogseverity <= 4 /* warning */ ) \ then { -/var/log/gdmlog.warn }
if ($programname contains 'gdm-x-session') \ then { -/var/log/gdmlog stop }
# # Warnings in one file # *.=warning;*.=err -/var/log/warn *.crit /var/log/warn
# # the rest in one file # *.*;mail.none;news.none -/var/log/messages ---------------------------------++-
The idea is that entries that come from "gdm-x-session" go to another file, not to "/var/log/warn" nor "/var/log/messages". But they don't, the rule is doing nothing.
:-?
Similar rules in 13.1 work.
-- Cheers, Carlos E. R.
Your filters should be entirely one line each. -- Gertjan Lettink, a.k.a. Knurpht Official openSUSE Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2015-10-02 15:54, Knurpht - Gertjan Lettink wrote:
Your filters should be entirely one line each.
No, that's not so. I have this working filter on 13.1: if ($programname startswith 'org.gtk.' and $msg contains '### debug:') or ($programname startswith 'org.gtk.vfs.Daemon') or ($programname startswith 'org.freedesktop.Tracker1') \ or ($programname startswith 'org.gnome.evince.Daemon' and ($msg contains 'egisterDocument' or $msg contains 'Watch name')) \ or ($programname startswith 'org.gnome.zeitgeist.Engine') \ or ($programname startswith 'org.xfce.FileManager' and ($msg contains 'fixme:' )) \ or ($programname == 'systemd' and ($msg contains 'Failed to open private bus connection: Failed to connect to socket' )) \ then -/var/log/pruned & stop Notice the "\" symbol at the end of each line: it signifies it continues on the next. Or this other rule, in the original LEAP file: # # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then { -/var/log/firewall stop } -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Op Friday 02 October 2015 17:22:19 schreef Carlos E. R.:
On 2015-10-02 15:54, Knurpht - Gertjan Lettink wrote:
Your filters should be entirely one line each.
No, that's not so.
It is. Have a look at the line containing "then {" and so on. Notice the missing "\" symbol at the end of the line.
I have this working filter on 13.1:
if ($programname startswith 'org.gtk.' and $msg contains '### debug:') or ($programname startswith 'org.gtk.vfs.Daemon') or ($programname startswith 'org.freedesktop.Tracker1') \ or ($programname startswith 'org.gnome.evince.Daemon' and ($msg contains 'egisterDocument' or $msg contains 'Watch name')) \ or ($programname startswith 'org.gnome.zeitgeist.Engine') \ or ($programname startswith 'org.xfce.FileManager' and ($msg contains 'fixme:' )) \ or ($programname == 'systemd' and ($msg contains 'Failed to open private bus connection: Failed to connect to socket' )) \ then -/var/log/pruned & stop
Notice the "\" symbol at the end of each line: it signifies it continues on the next.
Or this other rule, in the original LEAP file:
# # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then { -/var/log/firewall stop }
-- Gertjan Lettink, a.k.a. Knurpht Official openSUSE Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2015-10-03 12:32, Knurpht - Gertjan Lettink wrote:
Op Friday 02 October 2015 17:22:19 schreef Carlos E. R.:
On 2015-10-02 15:54, Knurpht - Gertjan Lettink wrote:
Your filters should be entirely one line each.
No, that's not so.
It is. Have a look at the line containing "then {" and so on. Notice the missing "\" symbol at the end of the line.
Let me see. if ($programname contains 'gdm-x-session') and ($syslogseverity <= 4 /* warning */ ) \ then { -/var/log/gdmlog.warn } Now, compare with an original filter from the distribution: if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then { -/var/log/firewall stop } As you can see, there are no backslashes after the "then {". If it works on the distribution rule, why not on mine? The other rule is if ($programname contains 'gdm-x-session') \ then -/var/log/gdmlog & stop In 13.1 I have a bunch of similar rules: if ($syslogfacility-text == 'mail') and ($programname == 'spamd' or $syslogtag == '[spamd]:') and \ ($msg contains_i 'Use of each() on hash after insertion without resetting hash iterator results in undefined behavior') \ then -/var/log/pruned.warn & stop As you can see, there is no backslash after the "then", and it works perfectly. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYP8koACgkQtTMYHG2NR9UgIwCfWZU0mZEaW0agYpGea8YGEsmg zxYAoJcNexrssnkLTXU1uvHIxTfXS0Gy =Dp0l -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2015-10-03 17:20, Carlos E. R. wrote:
On 2015-10-03 12:32, Knurpht - Gertjan Lettink wrote:
Op Friday 02 October 2015 17:22:19 schreef Carlos E. R.:
On 2015-10-02 15:54, Knurpht - Gertjan Lettink wrote:
Your filters should be entirely one line each.
No, that's not so.
It is. Have a look at the line containing "then {" and so on. Notice the missing "\" symbol at the end of the line.
Let me see.
if ($programname contains 'gdm-x-session') and ($syslogseverity <= 4 /* warning */ ) \ then { -/var/log/gdmlog.warn }
Anyway, I changed to: if ($programname contains 'gdm-x-session') and ($syslogseverity <= 4 /* warning */ ) \ then { \ -/var/log/gdmlog.warn } if ($programname contains 'gdm-x-session') \ then -/var/log/gdmlog \ & stop And it does nothing. No errors detected by "rsyslogd -N 2 -f /etc/rsyslog.conf". No errors produced on rsyslog restart. No alteration of the log entries. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYSiR8ACgkQtTMYHG2NR9Uh3QCdEYA+hVoS2GXopDe3XiJbqtgm KlQAnRFqGwiwZcqnAD036iu89FCF1INK =0gyD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Carlos E. R. -
Carlos E. R. -
Knurpht - Gertjan Lettink