[ale] rsyslog blank lines after a stop
    Alex Carver 
    agcarver+ale at acarver.net
       
    Sat Jul 28 13:52:33 EDT 2018
    
    
  
No, there's nothing in rsyslog.d to load.  My rule is at the very top of
the file and I cut and paste the undesired log data into the config file.
Here's one of the messages without the rule
2018-07-21T11:51:51.289243-07:00 mail kernel: [  421.776959]
WARN::dwc_otg_handle_mode_mismatch_intr:68: Mode Mismatch Interrupt:
currently in Host mode<EOL>
Here's the message with the rules I've used so far:
2018-07-21T12:16:34.529168-07:00 mail kernel: [ 1905.028727]<EOL>
The rules I've used include:
if ($msg contains "dwc_otg_handle_mode_mismatch_intr" ) then {
        stop
}
:msg, contains, "dwc_otg_handle_mode_mismatch_intr" stop
So it seems to be erasing the message itself but still logging an event
timestamp to /var/log/messages and /var/log/kern.
I have a different rule that I use to move iptables messages to another
file:
:msg, contains, "iptables:"     -/var/log/iptables.log
& stop
This one works fine, no messages show up in /var/log/messages or
/var/log/kern and they all end up in /var/log/iptables.log
I don't see why my dwc_otg rule should make blank entries wile the
iptables rule does not.
On 2018-07-28 04:54, George Allen wrote:
> # Include all config files in /etc/rsyslog.d/
> include(file="/etc/rsyslog.d/*.conf" mode="optional")  # <---- is there
> anything in here?
> 
> # both of these worked with `logger test1` or `logger test2` on
> commandline, but let `logger test` pass
> if $msg contains "test1" then { stop }
> if ($msg contains "test2") then { stop }
> 
> #### RULES ####
> 
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.*                                                 /dev/console
> 
> 
> On Sat, Jul 28, 2018 at 1:57 AM, Alex Carver <agcarver+ale at acarver.net>
> wrote:
> 
>> I did it with RanierScript as well.  Didn't work.
>>
>> if ($msg contains "key word") then {
>> stop
>> }
>>
>> Still gives me blank lines.
>>
>> On 2018-07-27 19:58, George Allen wrote:
>>> The RanierScript format may help with anything beyond the defaults with
>>> rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html
>>>
>>> You could do something like:
>>> ruleset( name="DealWithBuggyMachine" ){
>>>   if $fromhost-ip == "192.0.2.2" then {
>>>     if $msg contains "key test" then {
>>>       action( type="omfile" file="/var/log/keytext.log" )
>>>       stop
>>>     }
>>>     if $msg contains "text of warning" then {
>>>       stop
>>>     }
>>>     action( type="omfile" file="/var/log/otherfile.log" )
>>>   }
>>> }
>>>
>>> See also for sanity's sake:
>>> https://github.com/evertrue/logserver-cookbook/wiki/
>> Supplemental-rsyslog-documentation
>>> And
>>> https://selivan.github.io/2017/02/07/rsyslog-log-
>> forward-save-filename-handle-multi-line-failover.html
>>> with the "legacy" and "modern" comparisons...
>>>
>>> Takes a minute to figure out Ranierscript, but well worth it.
>>>
>>> -George
>>>
>>>
>>>
>>> On Sun, Jul 22, 2018 at 1:04 PM, Alex Carver via Ale <ale at ale.org>
>> wrote:
>>>
>>>> On one of my machines a known bug is emitting harmless warning messages
>>>> that are getting sucked up into messages and kern.log.  I just want to
>>>> silence these warnings so I set up at the top of rsyslog's configuration
>>>> (version 8.24.0):
>>>>
>>>> :msg, contains, "text of warning" stop
>>>>
>>>> This is before the kern.* that sends to kern.log and also before *.=warn
>>>> which sends to messages.
>>>>
>>>> The result, though, is that the message is erased but a blank,
>>>> timestamped entry is added to both files.  So where I used to get:
>>>>
>>>> timestamp hostname kernel: [ticks] "text of warning here plus other
>>>> information" <EOL>
>>>>
>>>> I now just get in both messages and kern.log:
>>>> timestamp hostname kernel: [ticks]<EOL>
>>>>
>>>> I had expected the log entries to be gone completely.  I have a similar
>>>> line at the top of rsyslog.conf that looks for key text and diverts to a
>>>> file:
>>>>
>>>> :msg, contains, "key text" -/var/log/keytext.log
>>>> & stop
>>>>
>>>> This one works, I don't get any "key text" entries in kern.log or
>>>> messages.  I tried something similar using /dev/null but that still
>>>> causes the same blank lines.
>>>>
>>>> I'm considering giving up and switching to syslog-ng on this system but
>>>> I figured I'd ask and see if anyone had a thought.  Searching everywhere
>>>> online doesn't offer any suggestions about why I get blank lines after a
>>>> stop.
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> https://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>
>>
>>
> 
    
    
More information about the Ale
mailing list