Frothy Coffee!
Hello,
How do I filter logs from being sent to a remote rsyslog server? For instance I would like to prevent cron jobs from being sent to the rsyslog server. I currently have the syntax
in my rsyslog.conf file. This forwards all logs to the remote server. Now I want to start to filter out what gets sent. I'm staring with cron jobs for example. Thanks.Code:*.* @192.168.1.10:514
Geek
Check /etc/rsyslog.conf
It may be remarked out w\an "#", if it is, unremark it andCode:for cron.* /var/log/cronIt can remain commented out, if that line exists and you can just add this to the bottom of the /etc/rsyslog.conf file:Code:service rsyslog restart
andCode:# Log cron stuff cron.* /var/log/cron *.* @192.168.1.10:514That should do it.Code:service rsyslog restart
Windows assumes the user is an idiot.
Linux demands proof.
Frothy Coffee!
I tried your suggestion prior to posting. I initially did not have theOriginally Posted by Habitual
line in my rsyslog.conf file. I added this in and it resulted in the logs being sent to the new cron file as well as being sent to the server. Here is my complete rsyslog.conf file. Thanks.Code:cron.* /var/log/cron
Code:root@pf1:~# vi /etc/rsyslog.conf # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 # Enable non-kernel facility klog messages $KLogPermitNonKernelFacility on ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # # Log cron stuff cron.* /var/log/cron $IncludeConfig /etc/rsyslog.d/*.conf *.* @192.168.1.10:514
Geek
I stripped the comments out and here is the result, including what I believe needs to happen:
and of course, restart usingCode:$KLogPermitNonKernelFacility on $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf ### lingpanda cron.* /var/log/cron :msg, contains, "cron" /var/log/cron ~ *.* @192.168.1.10:514after edit/save...Code:service rsyslog restart
Also, check /etc/rsyslog.d/50-default.conf for commented cron entry, and remove the comment, save and exit. Restart rsyslog, see what's what.
Last edited by Habitual; May 28th, 2015 at 05:12 PM.
Windows assumes the user is an idiot.
Linux demands proof.
Frothy Coffee!
OK I might be at fault here. I decided to take a look at my syslog file and I notice the cron messages are missing. But for whatever reason they are still showing up on my server. It would seem that all was needed is
to prevent them from going to syslog.Code:cron .* /var/log/cron
These are the cron messages I see being forwarded.
Code:root@pf1:~# cat /etc/cron.d/sysstat # The first element of the path is a directory where the debian-sa1 # script is located PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin # Activity reports every 10 minutes everyday 5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1 # Additional run at 23:59 to rotate the statistics file 59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
and executing
Code:crontab -e
Geek
Sorry, I'm stumped.
Windows assumes the user is an idiot.
Linux demands proof.
Frothy Coffee!
Habitual I appreciate your time. I did finally settle on a solution that worked. I added the following in my rsyslog.conf file.
I believe I covered all the facility and priority keywords. Not exactly what I wanted to do but it works.Code:cron.* /var/log/cron.log :msg, contains, "cron" stop auth,authpriv,daemon,kern,lpr,mail,mark,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7.* @192.168.1.10:514
Geek
Good Job and Well Done!
I saw that you weren't utilizing the facilities, but I didn't want to open a can-of-worms.
Props+
Windows assumes the user is an idiot.
Linux demands proof.
Posting Permissions
Adv Reply
Bookmarks