Limiting logging to /var/log/messages

This support forum board is for support questions relating to Nagios Network Analyzer, our network traffic and bandwidth analysis solution.
BackNBlack
Posts: 20
Joined: Wed Nov 14, 2018 3:14 pm

Limiting logging to /var/log/messages

Post by BackNBlack »

Hi,
I would like to eliminate some log messages going to /var/log/messages and would like to know the best way to do this. These messages are written every 5 minutes and don't seem too important to me but what do I know.

How can I turn these off/filter them out without affecting the proper functioning of my Network Analyzer?

Code: Select all

Dec 18 16:55:00 myhost nfcapd[2550]: Run expire on '/usr/local/nagiosna/var/myrouter/flows'
Dec 18 16:55:00 myhost nfcapd[2550]: Limits: Filesize <none>, Lifetime 86400 = 1.0 days, Watermark: 95%
Dec 18 16:55:00 myhost nfcapd[2550]: Current size: 1142784 = 1.1 MB, Current lifetime: 83400 = 23.2 hours, Number of files: 279
Dec 18 16:55:00 myhost nfcapd[2550]: expire completed - nothing to expire.
Dec 18 16:55:00 myhost nfcapd[2550]: launcher child exit 1 children.
Dec 18 16:55:00 myhost nfcapd[2550]: launcher child 7891 exit status: 0
Dec 18 16:55:00 myhost nfcapd[2550]: launcher waiting children done. 0 children
Dec 18 16:55:01 myhost nfcapd[2594]: Ident: '8' Flows: 795, Packets: 0, Bytes: 218457798, Sequence Errors: 0, Bad Packets: 0
Dec 18 16:55:01 myhost nfcapd[2594]: Signal launcher
Dec 18 16:55:01 myhost nfcapd[2594]: Total ignored packets: 0
Dec 18 16:55:01 myhost nfcapd[2595]: Launcher: fork child.
Dec 18 16:55:01 myhost nfcapd[2595]: Launcher: child exec done.
Dec 18 16:55:01 myhost nfcapd[2595]: Run expire on '/usr/local/nagiosna/var/myfw/flows'
Dec 18 16:55:01 myhost nfcapd[2595]: Limits: Filesize <none>, Lifetime 86400 = 1.0 days, Watermark: 95%
Dec 18 16:55:01 myhost nfcapd[2595]: Current size: 4083712 = 3.9 MB, Current lifetime: 81900 = 22.8 hours, Number of files: 274
Dec 18 16:55:01 myhost nfcapd[2595]: expire completed - nothing to expire.
Dec 18 16:55:01 myhost nfcapd[2595]: launcher child exit 1 children.
Dec 18 16:55:01 myhost nfcapd[2595]: launcher child 7901 exit status: 0
Dec 18 16:55:01 myhost nfcapd[2595]: launcher waiting children done. 0 children
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Limiting logging to /var/log/mesages

Post by tgriep »

Try this, edit the /etc/rsyslog.conf file and above this line

Code: Select all

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
add this line

Code: Select all

if $programname == 'nfcapd' then stop
So it looks like this

Code: Select all

if $programname == 'nfcapd' then stop
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
Then restart rsyslog by running

Code: Select all

service rsyslog restart
That should stop the logging of the messages and it will not affect the operation of the Network Analyzer.
Be sure to check out our Knowledgebase for helpful articles and solutions!
BackNBlack
Posts: 20
Joined: Wed Nov 14, 2018 3:14 pm

Re: Limiting logging to /var/log/mesages

Post by BackNBlack »

That did not work :(
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Limiting logging to /var/log/mesages

Post by tgriep »

It could be that your version of rsyslog does not support that feature.
I tested it on Centos 7 and rsyslogd version 7.4.7 and it worked.

Find out which version of rsyslogd you are running and search the internet to see if it supports that feature.
Be sure to check out our Knowledgebase for helpful articles and solutions!
BackNBlack
Posts: 20
Joined: Wed Nov 14, 2018 3:14 pm

Re: Limiting logging to /var/log/mesages

Post by BackNBlack »

Hmm,
I'm using rsyslog-5.8.10-10.el6_6.x86_64 on a CentOS 6.9 system. I'll look around to see if it supports that command or not.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Limiting logging to /var/log/mesages

Post by tgriep »

I found another way to block rsyslog from logging those messages that may work for that version.
Add a config to /etc/rsyslog.d folder.
Call it nfcapd.conf
Put the following in it and restart rsyslog

Code: Select all

if $programname == 'nfcapd' then {
                stop
}
Let us know it if works.
If not and you figure it out, please post your findings here.
Be sure to check out our Knowledgebase for helpful articles and solutions!
BackNBlack
Posts: 20
Joined: Wed Nov 14, 2018 3:14 pm

Re: Limiting logging to /var/log/mesages

Post by BackNBlack »

Sorry, it is still not working, here is the error i am getting from the change;

Code: Select all

[root@myhost rsyslog.d]# pwd
/etc/rsyslog.d

[root@myhost rsyslog.d]# cat  nfcapd.conf
if $programname == 'nfcapd' then {
                stop
}

[root@myhost rsyslog.d]# service rsyslog status
rsyslogd (pid  1664) is running...

[root@myhost rsyslog.d]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

Jan 24 12:32:39 myhost kernel: Kernel logging (proc) stopped.
Jan 24 12:32:39 myhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1664" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 24 12:32:39 myhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 24 12:32:39 myhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="18516" x-info="http://www.rsyslog.com"] start
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 1:"if $programname == 'nfcapd' then {"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
Jan 24 12:32:39 myhost rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 2:"                stop"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
Jan 24 12:32:39 myhost rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 3:"}"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
I noticed another file in the directory that i thought might help me to figure this out but it still is very confusing to me. Perhaps someone else can look at it as a reference.

Code: Select all

cat spice-vdagentd.conf 
# A template to for higher precision timestamps + severity logging
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

:programname, startswith, "spice-vdagent"	/var/log/spice-vdagent.log;SpiceTmpl
Thanks
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Limiting logging to /var/log/mesages

Post by tgriep »

Your running rsyslog 5.8.10 and the rules formatting are different on newer versions of rsyslog which I used to test that rule.

Remove the existing rule and change it to this.

Code: Select all

:programname,isequal,"nfcapd" stop
& ~
Be sure to check out our Knowledgebase for helpful articles and solutions!
BackNBlack
Posts: 20
Joined: Wed Nov 14, 2018 3:14 pm

Re: Limiting logging to /var/log/mesages

Post by BackNBlack »

Thanks for quick reply, one question.

Put both of these lines in the /etc/rsyslog.conf file in the rules section?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Limiting logging to /var/log/mesages

Post by scottwilkerson »

you would create a new file such as /etc/rsyslog.d/nfcapd.conf and add it there

then restart rsyslogd

Code: Select all

service rsyslogd restart
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked