rsyslog

The rocket-fast system for log processing

Discarding unwanted messages

Often, there are some messages that you know you will never store in any log file. Even worse, these messages are sometimes very frequently emitted. There are various ways to get rid of those unwanted messages.

First of all, you need to identify them. Then look carfully and see what is special with these messages. A common case may be that they contain a specific text inside the message itself. If so, you can filter on that text and discard anything that matches. You need to be careful, though: if there are other messages matching this text, these other messages will also be discarded. So it is vital to make sure the text you use is actually unique.

In the sample below, let’s assume that you want to discard messages that contain either the text "user nagios" or "module-alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write". The later is an actual sample from pulseaudio, which is known to spam syslog with an enourmous volume of these messages.

Config Statements

:msg, contains, "user nagios" ~
:msg, contains, "module-alsa-sink.c: ALSA woke us up to
write new data to the device, but there was actually
nothing to write" ~
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog
# Log cron stuff
cron.*                                        /var/log/cron
# Everybody gets emergency messages
*.emerg                                       *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log
local7.*                                      /var/log/boot.log

Note that these are just two lines. The second to forth line are just broken for printing purposes. These two must be on a single line in an actual rsyslog.conf.

How it works

Note that the statements are placed on top of rsyslog.conf. This makes them being executed before any other action statement. So each message received will be checked against the two string and be discarded, if a match is found. Note that you can move the discard action to another place inside rsyslog.conf if you would like to write the messages to some files, but not to others. For example, this configuration:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# do not log the following to other files

:msg, contains, "user nagios" ~

:msg, contains, "module-alsa-sink.c: ALSA woke us up to

write new data to the device, but there was actually

nothing to write" ~
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog

logs all messages to /var/log/messages, even those that then shall be discarded.

10 thoughts on “Discarding unwanted messages

  1. Thanks. After I fixed the line break in the config statements outlined above it worked perfectly. Sweet.

  2. How to send different apache web server logs to remote syslog server

    How to watch apache status code in loganalyzer

  3. Pingback: Discard message on Rsyslog

  4. Is the order of these entries important? So should discards come prior to valid log’s destinations?

  5. Sorry, I looked over the command that does say that the order of these entries is indeed important.

    So, could you explain how to combine a msg and facility and/or a msg, facility and level?

  6. why are the linebreaks in here?
    Documentation needs to be CLEAN.
    Is there a RESTART needed?
    And please explain the meaning of ~ .
    Thanks.

  7. Thank you for for this. I was looking for a way to remotely log authpriv messages without actually sending the command the user entered as sudo.

    :msg, contains, "USER=root" ~
    authpriv.info @remotesyslog.com:514

    Cheers!

  8. Dear sir,

    I have Rsyslog v5.x running on OpenSuse 11 with the following rules –
    which is working properly. whereas I installed / upgraded to Rsyslog
    v7.2.3 with Open Suse 12.2; after that the same set of rules are NOT
    working. Kindly help, is any major changes implemented in the V7?

    The rules I tested was working in Rsyslog v5 and NOT working on V7.2.3
    are below:
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    if ($fromhost-ip != ‘127.0.0.1’) and \
    ($msg contains ‘ENVMON’ or $msg contains ‘duplex mismatch’ or \
    $msg contains ‘THRESHOLD_VIOLATION’) \
    then -/var/log/remotelogs;RSYSLOG_TraditionalFileFormat
    &~

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    Results in v7.2.3
    – Rsyslog deamon is loading w/o any error
    – whenever logs come from remote machines; NOTHING is matching;
    simply no log is captured

    Whereas the following RULE WORKS in both V5.x and V.7.2.3
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    if $fromhost-ip != ‘127.0.0.1’ then
    -/var/log/remotelogs;RSYSLOG_TraditionalFileFormat
    &~
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Kindly help how do I create rules with complex (AND, OR conditions)?

    Awaiting your help

  9. Thanks for NOTHING ALL THIS WAS ALOT OF JIBBER JABBRR TO ME, didn’t know I’d have to read a.whole dictionary to get s simple answer to a simple question.I just eanted to br able to TOTALLY DISCARD some of my info. on my phone….yes, some emails &,or gmails also, because just DELETEING them.
    only transfers them tk another place, it does NOT really delete them at all!!!

Comments are closed.