-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2014-07-07 at 08:24 -0500, Christopher Myers wrote:
Hi all,
I've got two entries in my openSuSE syslog that recur regularly as a result of my rsnapshot backups, and I'd like to filter them out to separate logs:
Jul 6 00:00:04 homestead kernel: [1997899.754678] EXT4-fs (dm-6): mounted filesystem with ordered data mode. Opts: (null) Jul 6 00:01:26 homestead rsnapshot[15224]: /usr/bin/rsnapshot hourly: completed successfully
I've been able to get the logs going to a separate location successfully by adding these lines to my rsyslog.conf file: rsnapshot.* -/var/log/rsnapshot kernel.* -/var/log/kernel
However, when rsyslog starts up, it gives this error:
Jun 12 20:45:52 homestead rsyslogd-3000: unknown facility name "rsnapshot"
Yes, because you can not have this line: rsnapshot.* -/var/log/rsnapshot The first word is not arbitrary, it has to be a "facility", and there is a closed list of facilities and can not be modified (unless the kernel people decide to do so): #CER: facility syslog(3) and /usr/include/sys/syslog.h #define LOG_KERN (0<<3) /* kernel messages */ kernel messages (these can't be generated from user processes) #define LOG_USER (1<<3) /* random user-level messages */ (default) #define LOG_MAIL (2<<3) /* mail system */ mail subsystem #define LOG_DAEMON (3<<3) /* system daemons */ system daemons without separate facility value #define LOG_AUTH (4<<3) /* security/authorization messages */ security/authorization messages #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ messages generated internally by syslogd(8) #define LOG_LPR (6<<3) /* line printer subsystem */ line printer subsystem #define LOG_NEWS (7<<3) /* network news subsystem */ USENET news subsystem #define LOG_UUCP (8<<3) /* UUCP subsystem */ UUCP subsystem #define LOG_CRON (9<<3) /* clock daemon */ clock daemon (cron and at) #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ security/authorization messages (private) #define LOG_FTP (11<<3) /* ftp daemon */ ftp daemon #/* other codes through 15 reserved for system use */ reserved for local use #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */ #define LOG_NFACILITIES 24 /* current number of facilities */ What you need is something like this instead: if ($programname == 'xinetd' or $syslogtag == '[xinetd]:') then -/var/log/xinetd.log & stop but changing the words and file. To that, you could add the proper facility check, which you have to find out first which one it is, because the test for facility is faster in run time (number, not string).
Now I'm trying to get them to not show up in /var/log/messages. I had thought that I could add like ";kernel.none;rsnapshot.none" to this line:
No, because "rsnapshot" is not a facility.
I've done a ton of Google searches and haven't seemed to find anything useful up to this point; from what I've been reading, this should work.
And where did you read you could use any word as "facility"? :-) - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlO6vdEACgkQtTMYHG2NR9XAXgCfQ45qr7Hbw8B26BNkdtJzgaww X8cAmgJObDvCKqBBnI5YxlvKm1rWg9Pl =BYr0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org