[ale] rsyslog blank lines after a stop

Alex Carver agcarver+ale at acarver.net
Sat Jul 28 01:57:49 EDT 2018


I did it with RanierScript as well.  Didn't work.

if ($msg contains "key word") then {
stop
}

Still gives me blank lines.

On 2018-07-27 19:58, George Allen wrote:
> The RanierScript format may help with anything beyond the defaults with
> rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html
> 
> You could do something like:
> ruleset( name="DealWithBuggyMachine" ){
>   if $fromhost-ip == "192.0.2.2" then {
>     if $msg contains "key test" then {
>       action( type="omfile" file="/var/log/keytext.log" )
>       stop
>     }
>     if $msg contains "text of warning" then {
>       stop
>     }
>     action( type="omfile" file="/var/log/otherfile.log" )
>   }
> }
> 
> See also for sanity's sake:
> https://github.com/evertrue/logserver-cookbook/wiki/Supplemental-rsyslog-documentation
> And
> https://selivan.github.io/2017/02/07/rsyslog-log-forward-save-filename-handle-multi-line-failover.html
> with the "legacy" and "modern" comparisons...
> 
> Takes a minute to figure out Ranierscript, but well worth it.
> 
> -George
> 
> 
> 
> On Sun, Jul 22, 2018 at 1:04 PM, Alex Carver via Ale <ale at ale.org> wrote:
> 
>> On one of my machines a known bug is emitting harmless warning messages
>> that are getting sucked up into messages and kern.log.  I just want to
>> silence these warnings so I set up at the top of rsyslog's configuration
>> (version 8.24.0):
>>
>> :msg, contains, "text of warning" stop
>>
>> This is before the kern.* that sends to kern.log and also before *.=warn
>> which sends to messages.
>>
>> The result, though, is that the message is erased but a blank,
>> timestamped entry is added to both files.  So where I used to get:
>>
>> timestamp hostname kernel: [ticks] "text of warning here plus other
>> information" <EOL>
>>
>> I now just get in both messages and kern.log:
>> timestamp hostname kernel: [ticks]<EOL>
>>
>> I had expected the log entries to be gone completely.  I have a similar
>> line at the top of rsyslog.conf that looks for key text and diverts to a
>> file:
>>
>> :msg, contains, "key text" -/var/log/keytext.log
>> & stop
>>
>> This one works, I don't get any "key text" entries in kern.log or
>> messages.  I tried something similar using /dev/null but that still
>> causes the same blank lines.
>>
>> I'm considering giving up and switching to syslog-ng on this system but
>> I figured I'd ask and see if anyone had a thought.  Searching everywhere
>> online doesn't offer any suggestions about why I get blank lines after a
>> stop.
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
> 



More information about the Ale mailing list