[ale] rsyslog blank lines after a stop

George Allen glallen01 at gmail.com
Fri Jul 27 22:58:16 EDT 2018


The RanierScript format may help with anything beyond the defaults with
rsyslog: https://www.rsyslog.com/doc/v8-stable/rainerscript/index.html

You could do something like:
ruleset( name="DealWithBuggyMachine" ){
  if $fromhost-ip == "192.0.2.2" then {
    if $msg contains "key test" then {
      action( type="omfile" file="/var/log/keytext.log" )
      stop
    }
    if $msg contains "text of warning" then {
      stop
    }
    action( type="omfile" file="/var/log/otherfile.log" )
  }
}

See also for sanity's sake:
https://github.com/evertrue/logserver-cookbook/wiki/Supplemental-rsyslog-documentation
And
https://selivan.github.io/2017/02/07/rsyslog-log-forward-save-filename-handle-multi-line-failover.html
with the "legacy" and "modern" comparisons...

Takes a minute to figure out Ranierscript, but well worth it.

-George



On Sun, Jul 22, 2018 at 1:04 PM, Alex Carver via Ale <ale at ale.org> wrote:

> On one of my machines a known bug is emitting harmless warning messages
> that are getting sucked up into messages and kern.log.  I just want to
> silence these warnings so I set up at the top of rsyslog's configuration
> (version 8.24.0):
>
> :msg, contains, "text of warning" stop
>
> This is before the kern.* that sends to kern.log and also before *.=warn
> which sends to messages.
>
> The result, though, is that the message is erased but a blank,
> timestamped entry is added to both files.  So where I used to get:
>
> timestamp hostname kernel: [ticks] "text of warning here plus other
> information" <EOL>
>
> I now just get in both messages and kern.log:
> timestamp hostname kernel: [ticks]<EOL>
>
> I had expected the log entries to be gone completely.  I have a similar
> line at the top of rsyslog.conf that looks for key text and diverts to a
> file:
>
> :msg, contains, "key text" -/var/log/keytext.log
> & stop
>
> This one works, I don't get any "key text" entries in kern.log or
> messages.  I tried something similar using /dev/null but that still
> causes the same blank lines.
>
> I'm considering giving up and switching to syslog-ng on this system but
> I figured I'd ask and see if anyone had a thought.  Searching everywhere
> online doesn't offer any suggestions about why I get blank lines after a
> stop.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20180727/30e84b3a/attachment.html>


More information about the Ale mailing list