Discussion:
[ale] rsyslog blank lines after a stop
Alex Carver via Ale
2018-07-22 17:04:59 UTC
Permalink
On one of my machines a known bug is emitting harmless warning messages
that are getting sucked up into messages and kern.log. I just want to
silence these warnings so I set up at the top of rsyslog's configuration
(version 8.24.0):

:msg, contains, "text of warning" stop

This is before the kern.* that sends to kern.log and also before *.=warn
which sends to messages.

The result, though, is that the message is erased but a blank,
timestamped entry is added to both files. So where I used to get:

timestamp hostname kernel: [ticks] "text of warning here plus other
information" <EOL>

I now just get in both messages and kern.log:
timestamp hostname kernel: [ticks]<EOL>

I had expected the log entries to be gone completely. I have a similar
line at the top of rsyslog.conf that looks for key text and diverts to a
file:

:msg, contains, "key text" -/var/log/keytext.log
& stop

This one works, I don't get any "key text" entries in kern.log or
messages. I tried something similar using /dev/null but that still
causes the same blank lines.

I'm considering giving up and switching to syslog-ng on this system but
I figured I'd ask and see if anyone had a thought. Searching everywhere
online doesn't offer any suggestions about why I get blank lines after a
stop.
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
George Allen via Ale
2018-07-28 02:58:16 UTC
Permalink
The RanierScript format may help with anything beyond the defaults with
rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html

You could do something like:
ruleset( name="DealWithBuggyMachine" ){
if $fromhost-ip == "192.0.2.2" then {
if $msg contains "key test" then {
action( type="omfile" file="/var/log/keytext.log" )
stop
}
if $msg contains "text of warning" then {
stop
}
action( type="omfile" file="/var/log/otherfile.log" )
}
}

See also for sanity's sake:
https://github.com/evertrue/logserver-cookbook/wiki/Supplemental-rsyslog-documentation
And
https://selivan.github.io/2017/02/07/rsyslog-log-forward-save-filename-handle-multi-line-failover.html
with the "legacy" and "modern" comparisons...

Takes a minute to figure out Ranierscript, but well worth it.

-George
Post by Alex Carver via Ale
On one of my machines a known bug is emitting harmless warning messages
that are getting sucked up into messages and kern.log. I just want to
silence these warnings so I set up at the top of rsyslog's configuration
:msg, contains, "text of warning" stop
This is before the kern.* that sends to kern.log and also before *.=warn
which sends to messages.
The result, though, is that the message is erased but a blank,
timestamp hostname kernel: [ticks] "text of warning here plus other
information" <EOL>
timestamp hostname kernel: [ticks]<EOL>
I had expected the log entries to be gone completely. I have a similar
line at the top of rsyslog.conf that looks for key text and diverts to a
:msg, contains, "key text" -/var/log/keytext.log
& stop
This one works, I don't get any "key text" entries in kern.log or
messages. I tried something similar using /dev/null but that still
causes the same blank lines.
I'm considering giving up and switching to syslog-ng on this system but
I figured I'd ask and see if anyone had a thought. Searching everywhere
online doesn't offer any suggestions about why I get blank lines after a
stop.
_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Alex Carver via Ale
2018-07-28 05:57:49 UTC
Permalink
I did it with RanierScript as well. Didn't work.

if ($msg contains "key word") then {
stop
}

Still gives me blank lines.
Post by George Allen via Ale
The RanierScript format may help with anything beyond the defaults with
rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html
ruleset( name="DealWithBuggyMachine" ){
if $fromhost-ip == "192.0.2.2" then {
if $msg contains "key test" then {
action( type="omfile" file="/var/log/keytext.log" )
stop
}
if $msg contains "text of warning" then {
stop
}
action( type="omfile" file="/var/log/otherfile.log" )
}
}
https://github.com/evertrue/logserver-cookbook/wiki/Supplemental-rsyslog-documentation
And
https://selivan.github.io/2017/02/07/rsyslog-log-forward-save-filename-handle-multi-line-failover.html
with the "legacy" and "modern" comparisons...
Takes a minute to figure out Ranierscript, but well worth it.
-George
Post by Alex Carver via Ale
On one of my machines a known bug is emitting harmless warning messages
that are getting sucked up into messages and kern.log. I just want to
silence these warnings so I set up at the top of rsyslog's configuration
:msg, contains, "text of warning" stop
This is before the kern.* that sends to kern.log and also before *.=warn
which sends to messages.
The result, though, is that the message is erased but a blank,
timestamp hostname kernel: [ticks] "text of warning here plus other
information" <EOL>
timestamp hostname kernel: [ticks]<EOL>
I had expected the log entries to be gone completely. I have a similar
line at the top of rsyslog.conf that looks for key text and diverts to a
:msg, contains, "key text" -/var/log/keytext.log
& stop
This one works, I don't get any "key text" entries in kern.log or
messages. I tried something similar using /dev/null but that still
causes the same blank lines.
I'm considering giving up and switching to syslog-ng on this system but
I figured I'd ask and see if anyone had a thought. Searching everywhere
online doesn't offer any suggestions about why I get blank lines after a
stop.
_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
George Allen via Ale
2018-07-28 11:54:29 UTC
Permalink
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional") # <---- is there
anything in here?

# both of these worked with `logger test1` or `logger test2` on
commandline, but let `logger test` pass
if $msg contains "test1" then { stop }
if ($msg contains "test2") then { stop }

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
Post by Alex Carver via Ale
I did it with RanierScript as well. Didn't work.
if ($msg contains "key word") then {
stop
}
Still gives me blank lines.
Post by George Allen via Ale
The RanierScript format may help with anything beyond the defaults with
rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html
ruleset( name="DealWithBuggyMachine" ){
if $fromhost-ip == "192.0.2.2" then {
if $msg contains "key test" then {
action( type="omfile" file="/var/log/keytext.log" )
stop
}
if $msg contains "text of warning" then {
stop
}
action( type="omfile" file="/var/log/otherfile.log" )
}
}
https://github.com/evertrue/logserver-cookbook/wiki/
Supplemental-rsyslog-documentation
Post by George Allen via Ale
And
https://selivan.github.io/2017/02/07/rsyslog-log-
forward-save-filename-handle-multi-line-failover.html
Post by George Allen via Ale
with the "legacy" and "modern" comparisons...
Takes a minute to figure out Ranierscript, but well worth it.
-George
Post by Alex Carver via Ale
On one of my machines a known bug is emitting harmless warning messages
that are getting sucked up into messages and kern.log. I just want to
silence these warnings so I set up at the top of rsyslog's configuration
:msg, contains, "text of warning" stop
This is before the kern.* that sends to kern.log and also before *.=warn
which sends to messages.
The result, though, is that the message is erased but a blank,
timestamp hostname kernel: [ticks] "text of warning here plus other
information" <EOL>
timestamp hostname kernel: [ticks]<EOL>
I had expected the log entries to be gone completely. I have a similar
line at the top of rsyslog.conf that looks for key text and diverts to a
:msg, contains, "key text" -/var/log/keytext.log
& stop
This one works, I don't get any "key text" entries in kern.log or
messages. I tried something similar using /dev/null but that still
causes the same blank lines.
I'm considering giving up and switching to syslog-ng on this system but
I figured I'd ask and see if anyone had a thought. Searching everywhere
online doesn't offer any suggestions about why I get blank lines after a
stop.
_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
Alex Carver via Ale
2018-07-28 17:52:33 UTC
Permalink
No, there's nothing in rsyslog.d to load. My rule is at the very top of
the file and I cut and paste the undesired log data into the config file.

Here's one of the messages without the rule
2018-07-21T11:51:51.289243-07:00 mail kernel: [ 421.776959]
WARN::dwc_otg_handle_mode_mismatch_intr:68: Mode Mismatch Interrupt:
currently in Host mode<EOL>

Here's the message with the rules I've used so far:
2018-07-21T12:16:34.529168-07:00 mail kernel: [ 1905.028727]<EOL>

The rules I've used include:

if ($msg contains "dwc_otg_handle_mode_mismatch_intr" ) then {
stop
}

:msg, contains, "dwc_otg_handle_mode_mismatch_intr" stop


So it seems to be erasing the message itself but still logging an event
timestamp to /var/log/messages and /var/log/kern.

I have a different rule that I use to move iptables messages to another
file:

:msg, contains, "iptables:" -/var/log/iptables.log
& stop

This one works fine, no messages show up in /var/log/messages or
/var/log/kern and they all end up in /var/log/iptables.log

I don't see why my dwc_otg rule should make blank entries wile the
iptables rule does not.
Post by George Allen via Ale
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional") # <---- is there
anything in here?
# both of these worked with `logger test1` or `logger test2` on
commandline, but let `logger test` pass
if $msg contains "test1" then { stop }
if ($msg contains "test2") then { stop }
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
Post by Alex Carver via Ale
I did it with RanierScript as well. Didn't work.
if ($msg contains "key word") then {
stop
}
Still gives me blank lines.
Post by George Allen via Ale
The RanierScript format may help with anything beyond the defaults with
rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html
ruleset( name="DealWithBuggyMachine" ){
if $fromhost-ip == "192.0.2.2" then {
if $msg contains "key test" then {
action( type="omfile" file="/var/log/keytext.log" )
stop
}
if $msg contains "text of warning" then {
stop
}
action( type="omfile" file="/var/log/otherfile.log" )
}
}
https://github.com/evertrue/logserver-cookbook/wiki/
Supplemental-rsyslog-documentation
Post by George Allen via Ale
And
https://selivan.github.io/2017/02/07/rsyslog-log-
forward-save-filename-handle-multi-line-failover.html
Post by George Allen via Ale
with the "legacy" and "modern" comparisons...
Takes a minute to figure out Ranierscript, but well worth it.
-George
Post by Alex Carver via Ale
On one of my machines a known bug is emitting harmless warning messages
that are getting sucked up into messages and kern.log. I just want to
silence these warnings so I set up at the top of rsyslog's configuration
:msg, contains, "text of warning" stop
This is before the kern.* that sends to kern.log and also before *.=warn
which sends to messages.
The result, though, is that the message is erased but a blank,
timestamp hostname kernel: [ticks] "text of warning here plus other
information" <EOL>
timestamp hostname kernel: [ticks]<EOL>
I had expected the log entries to be gone completely. I have a similar
line at the top of rsyslog.conf that looks for key text and diverts to a
:msg, contains, "key text" -/var/log/keytext.log
& stop
This one works, I don't get any "key text" entries in kern.log or
messages. I tried something similar using /dev/null but that still
causes the same blank lines.
I'm considering giving up and switching to syslog-ng on this system but
I figured I'd ask and see if anyone had a thought. Searching everywhere
online doesn't offer any suggestions about why I get blank lines after a
stop.
_______________________________________________
Ale mailing list
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
***@ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo

Loading...