Discarding unwanted messages

Often, there are some messages that you know you will never store in any log file. Even worse, these messages are sometimes very frequently emitted. There are various ways to get rid of those unwanted messages.

First of all, you need to identify them. Then look carfully and see what is special with these messages. A common case may be that they contain a specific text inside the message itself. If so, you can filter on that text and discard anything that matches. You need to be careful, though: if there are other messages matching this text, these other messages will also be discarded. So it is vital to make sure the text you use is actually unique.

In the sample below, let’s assume that you want to discard messages that contain either the text “user nagios” or “module-alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write”. The later is an actual sample from pulseaudio, which is known to spam syslog with an enourmous volume of these messages.

Config Statements

:msg, contains, "user nagios" ~
:msg, contains, "module-alsa-sink.c: ALSA woke us up to
write new data to the device, but there was actually
nothing to write" ~
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog
# Log cron stuff
cron.*                                        /var/log/cron
# Everybody gets emergency messages
*.emerg                                       *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log
local7.*                                      /var/log/boot.log

Note that these are just two lines. The second to forth line are just broken for printing purposes. These two must be on a single line in an actual rsyslog.conf.

How it works

Note that the statements are placed on top of rsyslog.conf. This makes them being executed before any other action statement. So each message received will be checked against the two string and be discarded, if a match is found. Note that you can move the discard action to another place inside rsyslog.conf if you would like to write the messages to some files, but not to others. For example, this configuration:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# do not log the following to other files

:msg, contains, "user nagios" ~

:msg, contains, "module-alsa-sink.c: ALSA woke us up to

write new data to the device, but there was actually

nothing to write" ~
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog

logs all messages to /var/log/messages, even those that then shall be discarded.

Scroll to top