Page 1 of 2
Limiting logging to /var/log/messages
Posted: Tue Dec 18, 2018 12:01 pm
by BackNBlack
Hi,
I would like to eliminate some log messages going to /var/log/messages and would like to know the best way to do this. These messages are written every 5 minutes and don't seem too important to me but what do I know.
How can I turn these off/filter them out without affecting the proper functioning of my Network Analyzer?
Code: Select all
Dec 18 16:55:00 myhost nfcapd[2550]: Run expire on '/usr/local/nagiosna/var/myrouter/flows'
Dec 18 16:55:00 myhost nfcapd[2550]: Limits: Filesize <none>, Lifetime 86400 = 1.0 days, Watermark: 95%
Dec 18 16:55:00 myhost nfcapd[2550]: Current size: 1142784 = 1.1 MB, Current lifetime: 83400 = 23.2 hours, Number of files: 279
Dec 18 16:55:00 myhost nfcapd[2550]: expire completed - nothing to expire.
Dec 18 16:55:00 myhost nfcapd[2550]: launcher child exit 1 children.
Dec 18 16:55:00 myhost nfcapd[2550]: launcher child 7891 exit status: 0
Dec 18 16:55:00 myhost nfcapd[2550]: launcher waiting children done. 0 children
Dec 18 16:55:01 myhost nfcapd[2594]: Ident: '8' Flows: 795, Packets: 0, Bytes: 218457798, Sequence Errors: 0, Bad Packets: 0
Dec 18 16:55:01 myhost nfcapd[2594]: Signal launcher
Dec 18 16:55:01 myhost nfcapd[2594]: Total ignored packets: 0
Dec 18 16:55:01 myhost nfcapd[2595]: Launcher: fork child.
Dec 18 16:55:01 myhost nfcapd[2595]: Launcher: child exec done.
Dec 18 16:55:01 myhost nfcapd[2595]: Run expire on '/usr/local/nagiosna/var/myfw/flows'
Dec 18 16:55:01 myhost nfcapd[2595]: Limits: Filesize <none>, Lifetime 86400 = 1.0 days, Watermark: 95%
Dec 18 16:55:01 myhost nfcapd[2595]: Current size: 4083712 = 3.9 MB, Current lifetime: 81900 = 22.8 hours, Number of files: 274
Dec 18 16:55:01 myhost nfcapd[2595]: expire completed - nothing to expire.
Dec 18 16:55:01 myhost nfcapd[2595]: launcher child exit 1 children.
Dec 18 16:55:01 myhost nfcapd[2595]: launcher child 7901 exit status: 0
Dec 18 16:55:01 myhost nfcapd[2595]: launcher waiting children done. 0 children
Re: Limiting logging to /var/log/mesages
Posted: Tue Dec 18, 2018 3:27 pm
by tgriep
Try this, edit the /etc/rsyslog.conf file and above this line
Code: Select all
*.info;mail.none;authpriv.none;cron.none /var/log/messages
add this line
Code: Select all
if $programname == 'nfcapd' then stop
So it looks like this
Code: Select all
if $programname == 'nfcapd' then stop
*.info;mail.none;authpriv.none;cron.none /var/log/messages
Then restart rsyslog by running
That should stop the logging of the messages and it will not affect the operation of the Network Analyzer.
Re: Limiting logging to /var/log/mesages
Posted: Wed Dec 19, 2018 1:32 pm
by BackNBlack
That did not work
Re: Limiting logging to /var/log/mesages
Posted: Wed Dec 19, 2018 1:37 pm
by tgriep
It could be that your version of rsyslog does not support that feature.
I tested it on Centos 7 and rsyslogd version 7.4.7 and it worked.
Find out which version of rsyslogd you are running and search the internet to see if it supports that feature.
Re: Limiting logging to /var/log/mesages
Posted: Wed Dec 19, 2018 3:40 pm
by BackNBlack
Hmm,
I'm using rsyslog-5.8.10-10.el6_6.x86_64 on a CentOS 6.9 system. I'll look around to see if it supports that command or not.
Re: Limiting logging to /var/log/mesages
Posted: Wed Dec 19, 2018 4:24 pm
by tgriep
I found another way to block rsyslog from logging those messages that may work for that version.
Add a config to /etc/rsyslog.d folder.
Call it nfcapd.conf
Put the following in it and restart rsyslog
Code: Select all
if $programname == 'nfcapd' then {
stop
}
Let us know it if works.
If not and you figure it out, please post your findings here.
Re: Limiting logging to /var/log/mesages
Posted: Thu Jan 24, 2019 7:44 am
by BackNBlack
Sorry, it is still not working, here is the error i am getting from the change;
Code: Select all
[root@myhost rsyslog.d]# pwd
/etc/rsyslog.d
[root@myhost rsyslog.d]# cat nfcapd.conf
if $programname == 'nfcapd' then {
stop
}
[root@myhost rsyslog.d]# service rsyslog status
rsyslogd (pid 1664) is running...
[root@myhost rsyslog.d]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Jan 24 12:32:39 myhost kernel: Kernel logging (proc) stopped.
Jan 24 12:32:39 myhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1664" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 24 12:32:39 myhost kernel: imklog 5.8.10, log source = /proc/kmsg started.
Jan 24 12:32:39 myhost rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="18516" x-info="http://www.rsyslog.com"] start
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 1:"if $programname == 'nfcapd' then {"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
Jan 24 12:32:39 myhost rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 2:" stop"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
Jan 24 12:32:39 myhost rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Jan 24 12:32:39 myhost rsyslogd: the last error occured in /etc/rsyslog.d/nfcapd.conf, line 3:"}"
Jan 24 12:32:39 myhost rsyslogd: warning: selector line without actions will be discarded
I noticed another file in the directory that i thought might help me to figure this out but it still is very confusing to me. Perhaps someone else can look at it as a reference.
Code: Select all
cat spice-vdagentd.conf
# A template to for higher precision timestamps + severity logging
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
:programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl
Thanks
Re: Limiting logging to /var/log/mesages
Posted: Thu Jan 24, 2019 10:03 am
by tgriep
Your running rsyslog 5.8.10 and the rules formatting are different on newer versions of rsyslog which I used to test that rule.
Remove the existing rule and change it to this.
Code: Select all
:programname,isequal,"nfcapd" stop
& ~
Re: Limiting logging to /var/log/mesages
Posted: Thu Jan 24, 2019 10:13 am
by BackNBlack
Thanks for quick reply, one question.
Put both of these lines in the /etc/rsyslog.conf file in the rules section?
Re: Limiting logging to /var/log/mesages
Posted: Thu Jan 24, 2019 12:06 pm
by scottwilkerson
you would create a new file such as
/etc/rsyslog.d/nfcapd.conf and add it there
then restart rsyslogd