[opensuse] I can not filter out some systemd messages in syslog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have this in "/etc/rsyslog.conf": if ($programname == 'named' or $syslogtag == '[named]:') \ then -/var/log/named & stop ... if ($msg contains 'Started Session' and $msg contains 'of user') \ then -/var/log/systemdpurged & stop # # the rest in one file # *.*;mail.none;news.none -/var/log/messages I get the expected entries in "/var/log/systemdpurged": <3.6> 2014-03-01 16:30:01 Telcontar systemd 1 - - Started Session 93 of user cer. <3.6> 2014-03-01 16:33:01 Telcontar systemd 1 - - Started Session 94 of user news. But I'm also getting them in "/var/log/messages": <3.6> 2014-03-01 16:30:01 Telcontar systemd 1 - - Starting Session 93 of user cer. <3.6> 2014-03-01 16:33:01 Telcontar systemd 1 - - Starting Session 94 of user news. And they should not be there. So the "stop" line for those systemd entries is not acting. However, it works for other sections, like the "named" section shown above, and others I do not show for clarity. Are systemd entries special? - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlMSADcACgkQtTMYHG2NR9WCgwCdEgnb+Apy47tcjI31Dv5brA9X +TMAoIt87JaGgMoP5Zf11OZM0XevIjif =uI81 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2014-03-01 at 16:43 +0100, Carlos E. R. wrote:
So the "stop" line for those systemd entries is not acting. However, it works for other sections, like the "named" section shown above, and others I do not show for clarity.
Are systemd entries special?
I now have: if ($msg contains 'Started Session' and $msg contains 'of user') \ then -/var/log/systemdpurged & stop if ($programname == 'xinetd' or $syslogtag == '[xinetd]:') then -/var/log/xinetd.log & stop # # the rest in one file # *.*;mail.none;news.none -/var/log/messages I get the expected entries in xinetd.log and systemdpurged. The xinetd entries do not appear in /var/log/messages, but the systemd entries do. The stop clause is ignored for them: <3.6> 2014-03-01 17:13:01 Telcontar systemd 1 - - Starting Session 107 ofuser news. <3.6> 2014-03-01 17:15:02 Telcontar systemd 1 - - Starting Session 108 ofuser root. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlMSCUoACgkQtTMYHG2NR9V9QQCdEnoSNU5++cc3qWGf9mm/+Xrr Xe0AnR0ePxtrMmUBuV78P0jd1Mrv8zWa =L9Fu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A year ago, on Saturday, 2014-03-01 at 17:22 +0100, I wrote:
On Saturday, 2014-03-01 at 16:43 +0100, I wrote:
So the "stop" line for those systemd entries is not acting. However, it works for other sections, like the "named" section shown above, and others I do not show for clarity.
Are systemd entries special?
I now have:
if ($msg contains 'Started Session' and $msg contains 'of user') \ then -/var/log/systemdpurged & stop
if ($programname == 'xinetd' or $syslogtag == '[xinetd]:') then -/var/log/xinetd.log & stop
I get the expected entries in xinetd.log and systemdpurged.
The xinetd entries do not appear in /var/log/messages, but the systemd entries do. The stop clause is ignored for them:
<3.6> 2014-03-01 17:13:01 Telcontar systemd 1 - - Starting Session 107 of user news. <3.6> 2014-03-01 17:15:02 Telcontar systemd 1 - - Starting Session 108 of user root.
I suddenly noticed that there are two very similar entries: <3.6> 2016-05-17 04:10:01 Telcontar systemd 1 - - Starting Session 21475 of user wwwrun. <3.6> 2016-05-17 04:10:01 Telcontar systemd 1 - - Started Session 21475 of user wwwrun. <3.6> 2016-05-17 04:15:01 Telcontar systemd 1 - - Starting Session 21478 of user news. <3.6> 2016-05-17 04:15:01 Telcontar systemd 1 - - Started Session 21478 of user news. I simply have to filter both "Starting" and "Started". Sigh. A year long problem finally solved! - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlc6gi0ACgkQtTMYHG2NR9UXJwCdHTFNc3NIMRYKt0FGoxYb5Jkz vwYAnjlioPwmtgNisuW/B46guL1SygTC =04Ie -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Carlos E. R. -
Carlos E. R.