Nagios Support Forum

Posted: **Mon Jul 14, 2014 5:38 pm**

Hello,

We are required to preserve server logs for a certain extended amount of time. We currently use different log transferring tools such as logjam and rsync to move logs to dedicated log servers. We've noticed that Nagios populates heavy /var/log/secure with logs such as the snippet below. Is there any way we can reduce how much logging Nagios does? We have a lot of logs so the less data, the easier it is to move stuff around and preserve.

Code: Select all

Jul 14 14:58:56 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service crond
Jul 14 15:00:04 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service sshd
Jul 14 15:01:25 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service httpd
Jul 14 15:03:56 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service crond
Jul 14 15:05:04 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service sshd
Jul 14 15:06:24 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service httpd

Thank you,

Juana

Posted: **Tue Jul 15, 2014 10:09 am**

You may be able to reduce the log spam by changing the rsyslog config. Could you post a copy of the file:

Code: Select all

 /etc/rsyslog.conf

Posted: **Wed Jul 16, 2014 6:32 pm**

This is on RHEL5 hence /etc/syslog.conf:

Code: Select all

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
/etc/syslog.conf (END)

Posted: **Thu Jul 17, 2014 11:03 am**

To stop the loggin in the "/var/log/secure" altogether, you can comment out this line to look like this:

Code: Select all

# authpriv.*                                              /var/log/secure

then restart the service:

Code: Select all

service rsyslog restart

If you want to change the level of logging in the "/var/log/secure", you may need to configure pam. I haven't done this, so I am not sure how to do it, but you can go to "/etc/pam.d" and look through the configs.

You can also reduce some of the logging in the "/var/log/messages" from nagios by setting "use_syslog=0" in the "nagios.cfg".

Posted: **Thu Jul 17, 2014 1:40 pm**

Thank you! I'll try setting the "use_syslog=0" in the "nagios.cfg" as I we do want other logs to end up in /var/log/secure.

Posted: **Thu Jul 17, 2014 2:26 pm**

You are welcome! Let us know if you have any more questions.

Posted: **Tue Jul 22, 2014 3:21 pm**

Hello again,

On the Nagios XI master, I modified nagios.cfg and set use_syslog=0 and 'service nagios restart', but the logs are still happening on the clients. I did 'service syslog restart' on one of the clients, but no difference in the nagios logging performed in the client's /var/log/secure file. Ideas of what else I should try? Does the use_syslog=0 need to be set at the client level or just the nagios master? Should I reboot the Nagios XI master server?

Thank you,

Juana

Posted: **Wed Jul 23, 2014 9:58 am**

but the logs are still happening on the clients.

What, specifically, do you mean by clients here? Are you referring to remote systems that nagios is checking? If so, that is not controlled by nagios, that is up to the agent you are using, or the services that are being used to check through such as xinetd, nsca, nrpe, etc.

Posted: **Tue Sep 23, 2014 3:52 pm**

Hello,

Yes, I was refering to the remote system that Nagios is checking. Great, thank you for letting me know that is beyond Nagios.... makes absolute sense that the xinetd service (or *) handles that. I just needed to ensure my part (the Nagios side) has been properly handled and I think I have.

Thank you all for your great support!

jj

Nagios Support Forum

Reduce Logging in /var/log/secure

Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure

Re: Reduce Logging in /var/log/secure