[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: managing syslog

Frode Haugsgjerd wrote:
On Fri, Aug 27, 2004 at 06:20:27PM -0400, Stephen Gran wrote:

Hello all,

I am sorry to have to ask this here - it seems like it just should be
working, but it's not, and I am now starting to get frustrated.

At work we have several machines that output a lot of garbage to syslog,
most of which we don't need to see.  The programs responsible for the
garbage are also capable of sending admin emails for alerts, so I thought
that a nice idea might be to have syslog log all of the messages to a
seperate file that we don't logcheck, and look them over if there's an
email or a problem (don't worry - these are non-mission critical type
apps, and are not network accessible, so I am not too worried about
missing a message for a little while).

I can configure the loglevel that the apps log to, fortunately, but it
doesn't seem to be working correctly.  So, if I am logging to syslog
level local7, I add this to syslog.conf as the first uncommented line:

local7.*  /var/log/noisy.log

and hup syslog.  I now see the messages from the apps in noisy.log, but
I still see the chatter in syslog :(  Does anyone see anything obviously
wrong with this, to help save me from tearing hair out?

|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

syslog.conf don't work as a filter (check line for line, stop at first match)
like iptables or sisco accesslists do. If you stil got the default catch all ine:
*.*;auth,authpriv.none          -/var/log/syslog
in syslog.conf, the messsages goes there too.
Frode Haugsgjerd


just give a try to some other syslog daemon (syslog-ng, there is official debian package) or, change the logcheck to ignore the garbage.

on some machines , i'm using syslogd only to send the messages over the net to other host (with a daily-rotated all-in-one local file, kept .gziped few days, just for my paranoia), where syslog-ng captures them and then filter etc.

so if you can not change the daemon,you can do it in a similar way.

Reply to: