rsyslog / cron / deleting rules

rsyslog / cron / deleting rules

  • Written by Walter Doekes

  • Published on: 2014-09-10

Syslog generally works fine as it is, so I don’t need to poke around in it often. That also means that I forget how to tweak it.

How did you move those every-5-minutes cron jobs out of /var/log/syslog?

The rules (selection + action) look like this in the Debian default config:

*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log

The manual has this to say about it:

You can specify multiple facilities with the same priority pattern in one statement using the comma (,) operator. You may specify as much facilities as you want. Remember that only the facility part from such a statement is taken, a priority part would be skipped.

Multiple selectors may be specified for a single action using the semicolon (;) separator. Remember that each selector in the selector field is capable to overwrite the preceding ones. Using this behavior you can exclude some priorities from the pattern.

I.e. for our needs, the following two are equivalent:

*.*;auth,authpriv,cron.none     -/var/log/syslog
cron.*                          /var/log/cron.log

And:

*.*;auth.none;authpriv.none;cron.none -/var/log/syslog
cron.*                          /var/log/cron.log

Secondly, my cron jobs never crash the system, so I add a minus (-) before the /var/log/cron.log as well.

Can we not touch the default rsyslog.conf and use only additional files in rsyslog.d?

No. Apparently you cannot overwrite or delete older rules with rsyslog. As CCSF writes:

rsyslog has introduced the use of a configuration directory /etc/rsyslog.d. File with the extension .conf in this directory are included by rsyslog.conf. The include happens between the modules/templates section and the rules section. Thus the included files can have modules and templates as well as rules. Create a .conf file in this directory if possible and avoid modifying rsyslog.conf itself. Note that this is only possible if you want to add modules and rules. If you need to modify existing rules or delete current modules you must still modify rsyslog.conf.

That confirms my suspicions. Unfortunately. We still need to go into rsyslog.conf to add cron.none (and local0..7.none for the machines that use that). If you have any tips/clues, please tell me.

Update 2015-04-17

Apparently there is a way, at least with recent-ish rsyslog versions like 5.8. Put this in a file in /etc/rsyslog.d/:

cron.*                          /var/log/cron.log
& ~

local3.*                        /var/log/local3-stuff.log
& ~

The & ~ will discard the last matched line so it doesn’t show up in any further logs.

Another tip, if you want to combine multiple property based filters: you can’t. But you can use the single line RainerScript filters, like this:

if $syslogfacility-text == 'local0' and \
   $msg contains 'SPECIAL' then \
  /var/log/rare-and-special.log
local0.* /var/log/local0.log
& ~

Back to overview Newer post: python / ctypes / socket / datagram Older post: Maintenance datacenter TCN (13, 20, 27 Sept.)