Page 1 of 2

Limiting logging to /var/log/messages

Posted: Tue Dec 18, 2018 12:01 pm
by BackNBlack
Hi,
I would like to eliminate some log messages going to /var/log/messages and would like to know the best way to do this. These messages are written every 5 minutes and don't seem too important to me but what do I know.

How can I turn these off/filter them out without affecting the proper functioning of my Network Analyzer?

Code: Select all

Dec 18 16:55:00 myhost nfcapd[2550]: Run expire on '/usr/local/nagiosna/var/myrouter/flows'
Dec 18 16:55:00 myhost nfcapd[2550]: Limits: Filesize <none>, Lifetime 86400 = 1.0 days, Watermark: 95%
Dec 18 16:55:00 myhost nfcapd[2550]: Current size: 1142784 = 1.1 MB, Current lifetime: 83400 = 23.2 hours, Number of files: 279
Dec 18 16:55:00 myhost nfcapd[2550]: expire completed - nothing to expire.
Dec 18 16:55:00 myhost nfcapd[2550]: launcher child exit 1 children.
Dec 18 16:55:00 myhost nfcapd[2550]: launcher child 7891 exit status: 0
Dec 18 16:55:00 myhost nfcapd[2550]: launcher waiting children done. 0 children
Dec 18 16:55:01 myhost nfcapd[2594]: Ident: '8' Flows: 795, Packets: 0, Bytes: 218457798, Sequence Errors: 0, Bad Packets: 0
Dec 18 16:55:01 myhost nfcapd[2594]: Signal launcher
Dec 18 16:55:01 myhost nfcapd[2594]: Total ignored packets: 0
Dec 18 16:55:01 myhost nfcapd[2595]: Launcher: fork child.
Dec 18 16:55:01 myhost nfcapd[2595]: Launcher: child exec done.
Dec 18 16:55:01 myhost nfcapd[2595]: Run expire on '/usr/local/nagiosna/var/myfw/flows'
Dec 18 16:55:01 myhost nfcapd[2595]: Limits: Filesize <none>, Lifetime 86400 = 1.0 days, Watermark: 95%
Dec 18 16:55:01 myhost nfcapd[2595]: Current size: 4083712 = 3.9 MB, Current lifetime: 81900 = 22.8 hours, Number of files: 274
Dec 18 16:55:01 myhost nfcapd[2595]: expire completed - nothing to expire.
Dec 18 16:55:01 myhost nfcapd[2595]: launcher child exit 1 children.
Dec 18 16:55:01 myhost nfcapd[2595]: launcher child 7901 exit status: 0
Dec 18 16:55:01 myhost nfcapd[2595]: launcher waiting children done. 0 children

Re: Limiting logging to /var/log/mesages

Posted: Tue Dec 18, 2018 3:27 pm
by tgriep
Try this, edit the /etc/rsyslog.conf file and above this line

Code: Select all

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
add this line

Code: Select all

if $programname == 'nfcapd' then stop
So it looks like this

Code: Select all

if $programname == 'nfcapd' then stop
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
Then restart rsyslog by running

Code: Select all

service rsyslog restart
That should stop the logging of the messages and it will not affect the operation of the Network Analyzer.

Re: Limiting logging to /var/log/mesages

Posted: Wed Dec 19, 2018 1:32 pm
by BackNBlack
That did not work :(

Re: Limiting logging to /var/log/mesages

Posted: Wed Dec 19, 2018 1:37 pm
by tgriep
It could be that your version of rsyslog does not support that feature.
I tested it on Centos 7 and rsyslogd version 7.4.7 and it worked.

Find out which version of rsyslogd you are running and search the internet to see if it supports that feature.

Re: Limiting logging to /var/log/mesages

Posted: Wed Dec 19, 2018 3:40 pm
by BackNBlack
Hmm,
I'm using rsyslog-5.8.10-10.el6_6.x86_64 on a CentOS 6.9 system. I'll look around to see if it supports that command or not.

Re: Limiting logging to /var/log/mesages

Posted: Wed Dec 19, 2018 4:24 pm
by tgriep
I found another way to block rsyslog from logging those messages that may work for that version.
Add a config to /etc/rsyslog.d folder.
Call it nfcapd.conf
Put the following in it and restart rsyslog

Code: Select all

if $programname == 'nfcapd' then {
                stop
}
Let us know it if works.
If not and you figure it out, please post your findings here.

Re: Limiting logging to /var/log/mesages

Posted: Thu Jan 24, 2019 7:44 am
by BackNBlack
Sorry, it is still not working, here is the error i am getting from the change;

Code: Select all

[root@myhost rsyslog.d]# pwd
/etc/rsyslog.d

[root@myhost rsyslog.d]# cat  nfcapd.conf
if $programname == 'nfcapd' then {
                stop
}

[root@myhost rsyslog.d]# service rsyslog status
rsyslogd (pid  1664) is running...

[root@myhost rsyslog.d]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]

Jan 24 12:32:39 myhost kernel: Kernel logging (proc) stopped.
Jan 24 12:32:39 myhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1664" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 24 12:32:39 myhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 24 12:32:39 myhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="18516" x-info="http://www.rsyslog.com"] start
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 1:"if $programname == 'nfcapd' then {"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
Jan 24 12:32:39 myhost rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 2:"                stop"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
Jan 24 12:32:39 myhost rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 3:"}"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
I noticed another file in the directory that i thought might help me to figure this out but it still is very confusing to me. Perhaps someone else can look at it as a reference.

Code: Select all

cat spice-vdagentd.conf 
# A template to for higher precision timestamps + severity logging
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

:programname, startswith, "spice-vdagent"	/var/log/spice-vdagent.log;SpiceTmpl
Thanks

Re: Limiting logging to /var/log/mesages

Posted: Thu Jan 24, 2019 10:03 am
by tgriep
Your running rsyslog 5.8.10 and the rules formatting are different on newer versions of rsyslog which I used to test that rule.

Remove the existing rule and change it to this.

Code: Select all

:programname,isequal,"nfcapd" stop
& ~

Re: Limiting logging to /var/log/mesages

Posted: Thu Jan 24, 2019 10:13 am
by BackNBlack
Thanks for quick reply, one question.

Put both of these lines in the /etc/rsyslog.conf file in the rules section?

Re: Limiting logging to /var/log/mesages

Posted: Thu Jan 24, 2019 12:06 pm
by scottwilkerson
you would create a new file such as /etc/rsyslog.d/nfcapd.conf and add it there

then restart rsyslogd

Code: Select all

service rsyslogd restart