NRPE logging to syslog

[ecarrasq]

My /var/log/messages and /var/log/secure files are filling up fast:

Dec 1 03:20:16 gentoo1 xinetd[5777]: START: nrpe pid=27547 from=192.168.10.111 Dec 1 03:20:16 gentoo1 xinetd[5777]: START: nrpe pid=27549 from=192.168.10.111 Dec 1 03:20:29 gentoo1 xinetd[5777]: START: nrpe pid=27558 from=192.168.10.111 Dec 1 03:20:29 gentoo1 xinetd[5777]: START: nrpe pid=27559 from=192.168.10.111 Dec 1 03:20:30 gentoo1 xinetd[5777]: START: nrpe pid=27564 from=192.168.10.111 Dec 1 03:20:30 gentoo1 xinetd[5777]: START: nrpe pid=27565 from=192.168.10.111 Dec 1 03:23:16 gentoo1 xinetd[5777]: START: nrpe pid=27585 from=192.168.10.111 Dec 1 03:23:16 gentoo1 xinetd[5777]: START: nrpe pid=27586 from=192.168.10.111 Dec 1 03:23:16 gentoo1 xinetd[5777]: START: nrpe pid=27587 from=192.168.10.111 Dec 1 03:23:29 gentoo1 xinetd[5777]: START: nrpe pid=27598 from=192.168.10.111 Dec 1 03:23:29 gentoo1 xinetd[5777]: START: nrpe pid=27599 from=192.168.10.111 Dec 1 03:23:30 gentoo1 xinetd[5777]: START: nrpe pid=27604 from=192.168.10.111 Dec 1 03:23:30 gentoo1 xinetd[5777]: START: nrpe pid=27605 from=192.168.10.111 Dec 1 03:26:14 gentoo1 xinetd[5777]: START: nrpe pid=27626 from=192.168.10.111 Dec 1 03:26:14 gentoo1 xinetd[5777]: START: nrpe pid=27628 from=192.168.10.111 Dec 1 03:26:14 gentoo1 xinetd[5777]: START: nrpe pid=27629 from=192.168.10.111 Dec 1 03:26:27 gentoo1 xinetd[5777]: START: nrpe pid=27640 from=192.168.10.111 Dec 1 03:26:27 gentoo1 xinetd[5777]: START: nrpe pid=27641 from=192.168.10.111 Dec 1 03:26:28 gentoo1 xinetd[5777]: START: nrpe pid=27646 from=192.168.10.111

It was recommended to:

"Check your xinetd configuration. Either /etc/xinetd.conf or /etc/xinetd.d/*.
Looks like you have logging switched on in there."

However, does not state on how to edit this.

There is a "log_facility=daemon" entry in the nrpe.cfg ,but I haven't found any documentation on that entry and if it has anything to do with "Disabling" NRPE from syslogging so much.

[tonyyarusso]

I'm not scertain whether NRPE properly supports log levels, but if it does, you can raise the level to log, by adding a line in /etc/xinetd.d/nrpe like:

Code: Select all

log_type        = SYSLOG daemon warning

where the last word is one of emerg, alert, crit, err, warning, notice, info, or debug. (The default is info.)

[ecarrasq]

Thanks.

I just found the following, which I have not tried yet:

To disable the NRPE (or any other daemon that uses xinetd) logging to syslog:

go to /etc/xinetd.d
vi nrpe
remove the "log_on_failure...." and "log_on_success..." lines and save
restart xinetd

[ecarrasq]

Removing the "log_on_failure...." and "log_on_success..." lines did not work.

[niebais]

Removing the "log_on_failure...." and "log_on_success..." lines did not work.

I modified my xinetd.d file to look like the following:
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
log_type = FILE /var/log/nrpe.log
disable = no
only_from = 127.0.0.1 remoteserver
}

I then added this file in /etc/logrotate.d
/var/log/nrpe.log {
missingok
notifempty
sharedscripts
}

Which makes the nrpe files rotate so I don't have to care about them. Just a tip.

[ecarrasq]

I've asked the Linux Admins to adjust the files, as suggested below. Once they do, I'll post the feedback.

Thank you!

[ecarrasq]

I haven't heard from the Linux Admins here at my company, so I will place a "Green Check mark" on this one until I hear from them.

Thank you for all your input!

[mguthrie]

You bet, thanks for the update!