Difference between revisions of "Rsyslog"

From WhyAskWhy.org Wiki
Jump to: navigation, search
(Stub page that describes the discard operator/action.)
 
m (Added additional references.)
Line 65: Line 65:
 
== References ==
 
== References ==
  
* Rsyslog actions
+
=== Rsyslog actions ===
** [http://www.rsyslog.com/doc/master/configuration/actions.html (master branch)]
+
 
** [http://www.rsyslog.com/doc/v5-stable/configuration/actions.html v5-stable]
+
* [http://www.rsyslog.com/doc/master/configuration/actions.html (master branch)]
** [http://www.rsyslog.com/doc/v7-stable/configuration/actions.html v7-stable]
+
* [http://www.rsyslog.com/doc/v5-stable/configuration/actions.html v5-stable]
 +
* [http://www.rsyslog.com/doc/v7-stable/configuration/actions.html v7-stable]
 +
 
 +
=== Filters ===
 +
 
 
* [http://www.rsyslog.com/discarding-unwanted-messages/ Discarding unwanted messages]
 
* [http://www.rsyslog.com/discarding-unwanted-messages/ Discarding unwanted messages]
 
* [http://www.rsyslog.com/doc/rsyslog_conf_filter.html Rsyslog Filter Conditions]
 
* [http://www.rsyslog.com/doc/rsyslog_conf_filter.html Rsyslog Filter Conditions]
 
* [http://blog.endpoint.com/2014/09/rsyslog-new-filtering-features.html Rsyslog property based filtering features ]
 
* [http://blog.endpoint.com/2014/09/rsyslog-new-filtering-features.html Rsyslog property based filtering features ]
* [kb.monitorware.com/problems-with-and-stop-t11760.html Problems with v7 and stop]
+
* [http://kb.monitorware.com/problems-with-and-stop-t11760.html Problems with v7 and stop]
 +
 
 +
=== Properties ===
 +
 
 +
* [http://www.rsyslog.com/doc/property_replacer.html Available Properties]
 +
 
 +
=== Receiving from and Sending to remote Syslog boxes ===
 +
 
 +
* [http://www.rsyslog.com/integration-with-standard-syslogd/ Integration with "standard" syslogd]
 +
* [http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/ Storing Messages from a Remote System into a specific File]
 +
* [http://www.rsyslog.com/storing-and-forwarding-remote-messages/ Storing and forwarding remote messages]
 +
* [http://superuser.com/questions/626977/rsyslog-outputting-to-custom-log-file Rsyslog outputting to custom log file]

Revision as of 23:42, 4 September 2014


Scratch notes on Rsyslog

discard operator

The discard operator (aka, "discard action" operator) is the ~ character. Using it tells rsyslog that you want to discard log messages matched by filters. I often see that operator in conjunction with the & character and allows for having multiple actions per selector. This allows for combinations where you direct matching log messages to a specific file and preventing the same message from being logged a second time.


v5-stable

From an Ubuntu 12.04 LTS box:

# /etc/rsyslog.d/20-ufw.conf

# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
& ~


v7-stable

As of v7-stable this operator has been marked as deprecated and a different syntax is suggested as this warning suggests:

 rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]

From an Ubuntu 14.04 LTS box that runs v7.4.x and the suggested syntax:

# /etc/rsyslog.d/20-ufw.conf

:msg,contains,"[UFW " /var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
& stop

The & character is necessary (I found out the hard way) to "glue" the discard action to the filter above, otherwise it stops all log messages from being logged from that point forward.

Another example using a newer syntax:

auth,authpriv.* {
 /var/log/secure
 stop
}


References

Rsyslog actions

Filters

Properties

Receiving from and Sending to remote Syslog boxes