Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (5) →
Tony Ellis
Tony Ellis
Offline
Task

Noise in /var/log/messages - one way to re-direct...

Resolved
0 votes
Ref: https://www.clearos.com/clearfoundation/social/community/cannot-logout-of-webconfig#reply-121771

Mentioned would be looking for a good permanent solution to the problem of too much noise in my /var/log/messages :-
i.e. thousands of messages like this :-


Apr 12 20:01:01 sandra su: (to root) root on none

Apr 12 20:02:01 sandra su: (to root) root on none

Apr 12 20:02:01 sandra su: (to root) root on none

Apr 12 20:02:01 sandra su: (to root) root on none

Apr 12 20:05:02 sandra su: (to root) root on none

Apr 12 20:06:01 sandra su: (to root) root on none

Apr 12 20:07:01 sandra su: (to root) root on none

Apr 12 20:07:01 sandra su: (to root) root on none

Apr 12 20:07:01 sandra su: (to root) root on none

Apr 12 20:10:02 sandra su: (to root) root on none

Apr 12 20:11:01 sandra su: (to root) root on none

Found an easy way to re-direct the logging of any program to another log file - in my case the program is "su"
So created the following simple 3 line file " /etc/rsyslog.d/su.conf " :-


# Reference = http://wiki.rsyslog.com/index.php/Filtering_by_program_name

if $programname == 'su' then /var/log/su.log

& ~

To create the new log file
# touch /var/log/su.log
added this to the bottom of /etc/logrotate.conf so the new log file is rotated


# no packages own su.log -- we'll rotate them here

/var/log/su.log {      

    missingok       

    weekly     

    create 0644 root root

}

Sample from my new log file


Apr 12 20:36:01 sandra su: (to root) root on none

Apr 12 20:37:01 sandra su: (to root) root on none

Apr 12 20:37:01 sandra su: (to root) root on none

Apr 12 20:37:01 sandra su: (to root) root on none

Apr 12 20:40:03 sandra su: (to root) root on none

Apr 12 20:41:01 sandra su: (to root) root on none

Apr 12 20:42:01 sandra su: (to root) root on none

Apr 12 20:42:01 sandra su: pam_unix(su-l:session): session opened for user root by (uid=0)

Apr 12 20:42:01 sandra su: (to root) root on none

So the clutter has gone from /var/log/messages, and have the su messages log in case required...

This technique can probably be used for other programs that log to /var/log/messages that you might want to log separately...
In Fun, Tricks, and Hacks
Tuesday, April 12 2016, 11:11 AM
Subscribe via email
Share this post:
Responses (5)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, April 12 2016, 11:44 AM - #Permalink
    Resolved
    0 votes
    Yes, it is a good method. I use it for firewall messages and OpenVPN and the Static IPsec VPN package uses it as well. I also use the same sort of thing to stop a lot of the snort startup logging which I restart every night, but it then generates pages of start up logs.

    One thing I have failed to sort is a big block of logrotating. According to the docs for logrotate you should be able to specify more than one log file to rotate for a single function:
    "/var/log/httpd/access.log" /var/log/httpd/error.log {
    
    rotate 5
    
    size 100k
    
}
    For some reason it has not worked for me.
    The reply is currently minimized Show

  • Accepted Answer

    Tony Ellis
    Tony Ellis
    Offline
    Tuesday, April 12 2016, 01:15 PM - #Permalink
    Resolved
    0 votes
    Nick, This one that came with boinc-client works for me...

    
[root@danda ~]# cat /etc/logrotate.d/boinc-client 
    
# Log Rotation for BOINC Daemon Logs
    
#
    
# See http://boinc.berkeley.edu/ for more information about BOINC
    
#
    
# Daemon is stopped and then restarted after the logs are rotated.
    
#
    
# On restart, all results that checkpoint will fall back to the last one, if it exists.
    
# On restart, all results that did not checkpoint will start from the beginning.
    

    
# Author: Kathryn Marks <kathryn.boinc@gmail.com>
    
# Created: October 6, 2007
    
# Modified: Milos Jakubicek <xjakub@fi.muni.cz>
    
# Last Modified: July 19, 2009
    
######################################################################
    

    
/var/log/boinc.log /var/log/boincerr.log
    
{
    
	missingok
    
	compress
    
	delaycompress
    
	notifempty
    
	nomail
    
	create 664 boinc boinc
    
	sharedscripts
    
	prerotate
    
	if [ -f /var/lock/subsys/boinc-client ]; then
    
		touch /tmp/boinc_was_running
    
		service boinc-client stop >& /dev/null
    
	fi
    
	endscript
    
	postrotate
    
	if [ -f /tmp/boinc_was_running ]; then
    
		rm /tmp/boinc_was_running
    
		service boinc-client start >& /dev/null
    
	fi
    
	endscript
    
}
    
[root@danda ~]#


    EDIT: I think maybe it only works when the multiple logs are all generated by the same program?
    This one is boinc for both and the example given in man pages was for httpd for both logs...
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, April 12 2016, 05:37 PM - #Permalink
    Resolved
    0 votes
    I'll give it a whirl again:
    /var/log/firewall /var/log/openvpn {
    
	notifempty
    
	missingok
    
	daily
    
	copytruncate
    
	create 0664 root root
    
	rotate 4
    
}
    Both normally go into /var/log/messages but come from different programs.

    [edit]
    These are the filters I use:
    # Reference = http://wiki.rsyslog.com/index.php/Filtering_by_program_name
    
# Suppress apcupsd from /var/log/messages as they also go to /var/log/apcupsd.events
    
if $programname == 'apcupsd' then ~
    

    
# Suppress Some Snort start up messages
    
if $programname == 'snort' and $pri-text == 'daemon.notice' and not ($msg contains 'Commencing packet processing' or $msg contains_i 'error' or ( $msg contains_i 'warning' and not $msg contains_i 'flowbits' )) then ~
    

    
# Suppress Openvpn MAMAGEMENT messages
    
if $programname == 'openvpn' and $msg contains 'MANAGEMENT' then ~
    

    
# Drop firewall Bittorrent messages
    
if $programname == 'kernel' and $msg contains 'DPT=51413' then ~
    

    
# Split out Firewall messages
    
if $programname == 'kernel' then -/var/log/firewall
    
& ~
    

    
# SPlit out OpenVPN messages
    
if $programname == 'openvpn' then -/var/log/openvpn
    
& ~

    [/edit]
    The reply is currently minimized Show

  • Accepted Answer

    Tony Ellis
    Tony Ellis
    Offline
    Tuesday, April 12 2016, 10:33 PM - #Permalink
    Resolved
    0 votes
    Thanks for the filter details. One thing - kernel messages going to the firewall log? Mine are anything but... I must be missing something...
    iptables logging I guess for you? - but don't you also get other kernel messages mixed in with the firewall stuff? Examples below...

    
...
    
Mar 27 18:12:39 pamela kernel: Switching to clocksource acpi_pm
    
Mar 27 18:12:39 pamela kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
    
Mar 27 18:12:40 pamela kernel: nf_conntrack version 0.5.0 (7841 buckets, 31364 max)
    
Mar 27 18:12:40 pamela kernel: PPP generic driver version 2.4.2
    
Mar 27 18:12:40 pamela kernel: PPP MPPE Compression module registered
    
Mar 27 18:12:46 pamela kernel: w83627hf: Found W83627THF chip at 0x290
    
Mar 27 18:12:46 pamela kernel: w83627hf w83627hf.656: Reading VID from GPIO5
    
Mar 27 18:13:09 pamela kernel: Registering the dns_resolver key type
    
Mar 27 18:13:09 pamela kernel: Slow work thread pool: Starting up
    
Mar 27 18:13:09 pamela kernel: Slow work thread pool: Ready
    

    
...
    
Apr 10 17:38:28 pamela kernel: wlan0: authenticate with 00:22:b0:8e:e9:05
    
Apr 10 17:38:28 pamela kernel: wlan0: send auth to 00:22:b0:8e:e9:05 (try 1/3)
    
Apr 10 17:38:28 pamela kernel: wlan0: authenticated
    
Apr 10 17:38:28 pamela kernel: ath9k 0000:00:0a.0: wlan0: disabling HT/VHT due to WEP/TKIP use
    
Apr 10 17:38:28 pamela kernel: ath9k 0000:00:0a.0: wlan0: disabling HT as WMM/QoS is not supported by the AP
    
Apr 10 17:38:28 pamela kernel: ath9k 0000:00:0a.0: wlan0: disabling VHT as WMM/QoS is not supported by the AP
    
Apr 10 17:38:28 pamela kernel: wlan0: associate with 00:22:b0:8e:e9:05 (try 1/3)
    
Apr 10 17:38:28 pamela kernel: wlan0: RX AssocResp from 00:22:b0:8e:e9:05 (capab=0x431 status=0 aid=1)
    
Apr 10 17:38:28 pamela kernel: wlan0: associated
    
Apr 10 17:38:28 pamela kernel: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
    
Apr 11 06:02:07 pamela kernel: Adding 2047996k swap on /dev/sda2.  Priority:-1 extents:1 across:2047996k 
    
...
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Wednesday, April 13 2016, 05:35 AM - #Permalink
    Resolved
    0 votes
    I do have some firewall logging, and yes, I do get other stuff going into the firewall log but virtually nothing. Yours look like boot up messages mainly and I have not rebooted for months. I could get more cute and add something like "IN=" and "OUT=" to the filter string and I may now you've mentioned it but I won't gain much.
    The reply is currently minimized Show
Your Reply