[opensuse] syslog message cleanup
Hi all, I've got two entries in my openSuSE syslog that recur regularly as a result of my rsnapshot backups, and I'd like to filter them out to separate logs: Jul 6 00:00:04 homestead kernel: [1997899.754678] EXT4-fs (dm-6): mounted filesystem with ordered data mode. Opts: (null) Jul 6 00:01:26 homestead rsnapshot[15224]: /usr/bin/rsnapshot hourly: completed successfully I've been able to get the logs going to a separate location successfully by adding these lines to my rsyslog.conf file: rsnapshot.* -/var/log/rsnapshot kernel.* -/var/log/kernel However, when rsyslog starts up, it gives this error: Jun 12 20:45:52 homestead rsyslogd-3000: unknown facility name "rsnapshot" Jun 12 20:45:52 homestead rsyslogd: the last error occured in /etc/rsyslog.conf, line 142:"rsnapshot.* -/var/log/rsnapshot" I'm ok with that error though because the logs are going to the proper files. Now I'm trying to get them to not show up in /var/log/messages. I had thought that I could add like ";kernel.none;rsnapshot.none" to this line: *.*;mail.none;news.none;cron.none -/var/log/messages but when I do that, it stops logging anything at all to /var/log/messages. I've done a ton of Google searches and haven't seemed to find anything useful up to this point; from what I've been reading, this should work. Am I missing something? Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2014-07-07 at 08:24 -0500, Christopher Myers wrote:
Hi all,
I've got two entries in my openSuSE syslog that recur regularly as a result of my rsnapshot backups, and I'd like to filter them out to separate logs:
Jul 6 00:00:04 homestead kernel: [1997899.754678] EXT4-fs (dm-6): mounted filesystem with ordered data mode. Opts: (null) Jul 6 00:01:26 homestead rsnapshot[15224]: /usr/bin/rsnapshot hourly: completed successfully
I've been able to get the logs going to a separate location successfully by adding these lines to my rsyslog.conf file: rsnapshot.* -/var/log/rsnapshot kernel.* -/var/log/kernel
However, when rsyslog starts up, it gives this error:
Jun 12 20:45:52 homestead rsyslogd-3000: unknown facility name "rsnapshot"
Yes, because you can not have this line: rsnapshot.* -/var/log/rsnapshot The first word is not arbitrary, it has to be a "facility", and there is a closed list of facilities and can not be modified (unless the kernel people decide to do so): #CER: facility syslog(3) and /usr/include/sys/syslog.h #define LOG_KERN (0<<3) /* kernel messages */ kernel messages (these can't be generated from user processes) #define LOG_USER (1<<3) /* random user-level messages */ (default) #define LOG_MAIL (2<<3) /* mail system */ mail subsystem #define LOG_DAEMON (3<<3) /* system daemons */ system daemons without separate facility value #define LOG_AUTH (4<<3) /* security/authorization messages */ security/authorization messages #define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */ messages generated internally by syslogd(8) #define LOG_LPR (6<<3) /* line printer subsystem */ line printer subsystem #define LOG_NEWS (7<<3) /* network news subsystem */ USENET news subsystem #define LOG_UUCP (8<<3) /* UUCP subsystem */ UUCP subsystem #define LOG_CRON (9<<3) /* clock daemon */ clock daemon (cron and at) #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */ security/authorization messages (private) #define LOG_FTP (11<<3) /* ftp daemon */ ftp daemon #/* other codes through 15 reserved for system use */ reserved for local use #define LOG_LOCAL0 (16<<3) /* reserved for local use */ #define LOG_LOCAL1 (17<<3) /* reserved for local use */ #define LOG_LOCAL2 (18<<3) /* reserved for local use */ #define LOG_LOCAL3 (19<<3) /* reserved for local use */ #define LOG_LOCAL4 (20<<3) /* reserved for local use */ #define LOG_LOCAL5 (21<<3) /* reserved for local use */ #define LOG_LOCAL6 (22<<3) /* reserved for local use */ #define LOG_LOCAL7 (23<<3) /* reserved for local use */ #define LOG_NFACILITIES 24 /* current number of facilities */ What you need is something like this instead: if ($programname == 'xinetd' or $syslogtag == '[xinetd]:') then -/var/log/xinetd.log & stop but changing the words and file. To that, you could add the proper facility check, which you have to find out first which one it is, because the test for facility is faster in run time (number, not string).
Now I'm trying to get them to not show up in /var/log/messages. I had thought that I could add like ";kernel.none;rsnapshot.none" to this line:
No, because "rsnapshot" is not a facility.
I've done a ton of Google searches and haven't seemed to find anything useful up to this point; from what I've been reading, this should work.
And where did you read you could use any word as "facility"? :-) - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlO6vdEACgkQtTMYHG2NR9XAXgCfQ45qr7Hbw8B26BNkdtJzgaww X8cAmgJObDvCKqBBnI5YxlvKm1rWg9Pl =BYr0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Cool, thanks :) At this point, I don't remember where I saw that what I was doing should work; I hadn't been searching using the terminology you used there, so it's possible that I had my wires crossed and was looking in the wrong places :/ If I can find where I was looking again, I'll pass it along; I do remember that the websites I was running into were mostly older (2008, 2010, etc.) so it's possible that I was looking at outdated information too. Either way, thanks for your help, I'll give it a shot when I have some time and hopefully it'll get things filtered out :) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2014-07-07 at 11:12 -0500, Christopher Myers wrote:
Cool, thanks :)
Welcome.
Either way, thanks for your help, I'll give it a shot when I have some time and hopefully it'll get things filtered out :)
I had to play quite a bit with syslog, so I read some docs and try many things. Meaning, I had to bump my head into the wal many times ;-) Hint: If rsyslog does not restart after a change, try manually (as root): rsyslogd -n Other interesting options would be: -d Turns on debug mode. Using this the daemon will not proceed a fork(2) to set itself in the back- ground, but opposite to that stay in the foreground and write much debug information on the current tty. See the DEBUGGING section for more information. -N level Do a coNfig check. Do NOT run in regular mode, just check configu- ration file correctness. This option is meant to verify a config file. To do so, run rsyslogd interactively in foreground, spec- ifying -f <config-file> and -N level. The level argument modi- fies behaviour. Currently, 0 is the same as not specifying the -N option at all (so this makes lim- ited sense) and 1 actually acti- vates the code. Later, higher lev- els will mean more verbosity (this is a forward-compatibility option). rsyslogd is started and controlled by init(8). I have not tried this, but you could have an auxiliary config file, on which you do changes, and then do the check on it without restarting the working rsyslog daemon. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlO69b4ACgkQtTMYHG2NR9UrmwCfbMTIYO5O7I2svdiCdZAI5Fxj xnMAnjQNkTkjan6wSuq1Se53j34GQ/zb =Kuun -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Cool, thanks again for your help! Based on your comments, and some additional Googling, I ended up using these two lines of code to break out my rsnapshot events: if ($programname == 'rsnapshot' or $syslogtag == '[rsnapshot]') then -/var/log/rsnapshot.log if ($programname == 'rsnapshot' or $syslogtag == '[rsnapshot]') then ~ (the first one redirects the log entries, and the second one stops their processing.) I did some testing, and found that you can indeed test a new config while the current one continues running. To do this, I copied my rsyslog.conf file to rsyslog.new, then make the changes, and tested using this command: rsyslogd -N 1 -c5 -d -f /etc/rsyslog.new It outputs a ton of information, but does definitely help in troubleshooting mis-configurations. Thanks again! Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Carlos E. R. -
Christopher Myers