Ref: https://www.clearos.com/clearfoundation/social/community/cannot-logout-of-webconfig#reply-121771
Mentioned would be looking for a good permanent solution to the problem of too much noise in my /var/log/messages :-
i.e. thousands of messages like this :-
Found an easy way to re-direct the logging of any program to another log file - in my case the program is "su"
So created the following simple 3 line file " /etc/rsyslog.d/su.conf " :-
To create the new log file
# touch /var/log/su.log
added this to the bottom of /etc/logrotate.conf so the new log file is rotated
Sample from my new log file
So the clutter has gone from /var/log/messages, and have the su messages log in case required...
This technique can probably be used for other programs that log to /var/log/messages that you might want to log separately...
Mentioned would be looking for a good permanent solution to the problem of too much noise in my /var/log/messages :-
i.e. thousands of messages like this :-
Apr 12 20:01:01 sandra su: (to root) root on none
Apr 12 20:02:01 sandra su: (to root) root on none
Apr 12 20:02:01 sandra su: (to root) root on none
Apr 12 20:02:01 sandra su: (to root) root on none
Apr 12 20:05:02 sandra su: (to root) root on none
Apr 12 20:06:01 sandra su: (to root) root on none
Apr 12 20:07:01 sandra su: (to root) root on none
Apr 12 20:07:01 sandra su: (to root) root on none
Apr 12 20:07:01 sandra su: (to root) root on none
Apr 12 20:10:02 sandra su: (to root) root on none
Apr 12 20:11:01 sandra su: (to root) root on none
Found an easy way to re-direct the logging of any program to another log file - in my case the program is "su"
So created the following simple 3 line file " /etc/rsyslog.d/su.conf " :-
# Reference = http://wiki.rsyslog.com/index.php/Filtering_by_program_name
if $programname == 'su' then /var/log/su.log
& ~
To create the new log file
# touch /var/log/su.log
added this to the bottom of /etc/logrotate.conf so the new log file is rotated
# no packages own su.log -- we'll rotate them here
/var/log/su.log {
missingok
weekly
create 0644 root root
}
Sample from my new log file
Apr 12 20:36:01 sandra su: (to root) root on none
Apr 12 20:37:01 sandra su: (to root) root on none
Apr 12 20:37:01 sandra su: (to root) root on none
Apr 12 20:37:01 sandra su: (to root) root on none
Apr 12 20:40:03 sandra su: (to root) root on none
Apr 12 20:41:01 sandra su: (to root) root on none
Apr 12 20:42:01 sandra su: (to root) root on none
Apr 12 20:42:01 sandra su: pam_unix(su-l:session): session opened for user root by (uid=0)
Apr 12 20:42:01 sandra su: (to root) root on none
So the clutter has gone from /var/log/messages, and have the su messages log in case required...
This technique can probably be used for other programs that log to /var/log/messages that you might want to log separately...
Share this post:
Responses (5)
-
Accepted Answer
I do have some firewall logging, and yes, I do get other stuff going into the firewall log but virtually nothing. Yours look like boot up messages mainly and I have not rebooted for months. I could get more cute and add something like "IN=" and "OUT=" to the filter string and I may now you've mentioned it but I won't gain much. -
Accepted Answer
Thanks for the filter details. One thing - kernel messages going to the firewall log? Mine are anything but... I must be missing something...
iptables logging I guess for you? - but don't you also get other kernel messages mixed in with the firewall stuff? Examples below...
...
Mar 27 18:12:39 pamela kernel: Switching to clocksource acpi_pm
Mar 27 18:12:39 pamela kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Mar 27 18:12:40 pamela kernel: nf_conntrack version 0.5.0 (7841 buckets, 31364 max)
Mar 27 18:12:40 pamela kernel: PPP generic driver version 2.4.2
Mar 27 18:12:40 pamela kernel: PPP MPPE Compression module registered
Mar 27 18:12:46 pamela kernel: w83627hf: Found W83627THF chip at 0x290
Mar 27 18:12:46 pamela kernel: w83627hf w83627hf.656: Reading VID from GPIO5
Mar 27 18:13:09 pamela kernel: Registering the dns_resolver key type
Mar 27 18:13:09 pamela kernel: Slow work thread pool: Starting up
Mar 27 18:13:09 pamela kernel: Slow work thread pool: Ready
...
Apr 10 17:38:28 pamela kernel: wlan0: authenticate with 00:22:b0:8e:e9:05
Apr 10 17:38:28 pamela kernel: wlan0: send auth to 00:22:b0:8e:e9:05 (try 1/3)
Apr 10 17:38:28 pamela kernel: wlan0: authenticated
Apr 10 17:38:28 pamela kernel: ath9k 0000:00:0a.0: wlan0: disabling HT/VHT due to WEP/TKIP use
Apr 10 17:38:28 pamela kernel: ath9k 0000:00:0a.0: wlan0: disabling HT as WMM/QoS is not supported by the AP
Apr 10 17:38:28 pamela kernel: ath9k 0000:00:0a.0: wlan0: disabling VHT as WMM/QoS is not supported by the AP
Apr 10 17:38:28 pamela kernel: wlan0: associate with 00:22:b0:8e:e9:05 (try 1/3)
Apr 10 17:38:28 pamela kernel: wlan0: RX AssocResp from 00:22:b0:8e:e9:05 (capab=0x431 status=0 aid=1)
Apr 10 17:38:28 pamela kernel: wlan0: associated
Apr 10 17:38:28 pamela kernel: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Apr 11 06:02:07 pamela kernel: Adding 2047996k swap on /dev/sda2. Priority:-1 extents:1 across:2047996k
...
-
Accepted Answer
I'll give it a whirl again:
Both normally go into /var/log/messages but come from different programs./var/log/firewall /var/log/openvpn {
notifempty
missingok
daily
copytruncate
create 0664 root root
rotate 4
}
[edit]
These are the filters I use:# Reference = http://wiki.rsyslog.com/index.php/Filtering_by_program_name
# Suppress apcupsd from /var/log/messages as they also go to /var/log/apcupsd.events
if $programname == 'apcupsd' then ~
# Suppress Some Snort start up messages
if $programname == 'snort' and $pri-text == 'daemon.notice' and not ($msg contains 'Commencing packet processing' or $msg contains_i 'error' or ( $msg contains_i 'warning' and not $msg contains_i 'flowbits' )) then ~
# Suppress Openvpn MAMAGEMENT messages
if $programname == 'openvpn' and $msg contains 'MANAGEMENT' then ~
# Drop firewall Bittorrent messages
if $programname == 'kernel' and $msg contains 'DPT=51413' then ~
# Split out Firewall messages
if $programname == 'kernel' then -/var/log/firewall
& ~
# SPlit out OpenVPN messages
if $programname == 'openvpn' then -/var/log/openvpn
& ~
[/edit] -
Accepted Answer
Nick, This one that came with boinc-client works for me...
[root@danda ~]# cat /etc/logrotate.d/boinc-client
# Log Rotation for BOINC Daemon Logs
#
# See http://boinc.berkeley.edu/ for more information about BOINC
#
# Daemon is stopped and then restarted after the logs are rotated.
#
# On restart, all results that checkpoint will fall back to the last one, if it exists.
# On restart, all results that did not checkpoint will start from the beginning.
# Author: Kathryn Marks <kathryn.boinc@gmail.com>
# Created: October 6, 2007
# Modified: Milos Jakubicek <xjakub@fi.muni.cz>
# Last Modified: July 19, 2009
######################################################################
/var/log/boinc.log /var/log/boincerr.log
{
missingok
compress
delaycompress
notifempty
nomail
create 664 boinc boinc
sharedscripts
prerotate
if [ -f /var/lock/subsys/boinc-client ]; then
touch /tmp/boinc_was_running
service boinc-client stop >& /dev/null
fi
endscript
postrotate
if [ -f /tmp/boinc_was_running ]; then
rm /tmp/boinc_was_running
service boinc-client start >& /dev/null
fi
endscript
}
[root@danda ~]#
EDIT: I think maybe it only works when the multiple logs are all generated by the same program?
This one is boinc for both and the example given in man pages was for httpd for both logs... -
Accepted Answer
Yes, it is a good method. I use it for firewall messages and OpenVPN and the Static IPsec VPN package uses it as well. I also use the same sort of thing to stop a lot of the snort startup logging which I restart every night, but it then generates pages of start up logs.
One thing I have failed to sort is a big block of logrotating. According to the docs for logrotate you should be able to specify more than one log file to rotate for a single function:
For some reason it has not worked for me."/var/log/httpd/access.log" /var/log/httpd/error.log {
rotate 5
size 100k
}
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »