--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 03:29 PM
"Bob Goodwin - Zuni, Virginia, USA"
Save rsyslog data -
On 20/08/12 10:54, Ed Greshko responds:
On 08/20/2012 10:44 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
It doesn't seem to accept double quotes, single still yields an
error message.
[bobg@box9 ~]$ cat /var/log/tomato.log
Aug 20 11:02:27 box9 rsyslogd: the last error occured in
/etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal,
'192.168.1.9' /var/log/tomato.log"
--
http://www.qrz.com/db/W2BOD
box9
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 03:42 PM
Ed Greshko
Save rsyslog data -
On 08/20/2012 11:29 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
> It doesn't seem to accept double quotes, single still yields an
> error message.
>
> [bobg@box9 ~]$ cat /var/log/tomato.log
>
> Aug 20 11:02:27 box9 rsyslogd: the last error occured in
> /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal,
> '192.168.1.9' /var/log/tomato.log"
Well... All I can say at this point is....
1. I don't use :source
2. I log info from my dlink in a file which is not /var/log/messages and that is what I think you are trying to do.
3. These work just fine for me....
if $msg contains 'from 192.168.0.18' then ~ (discard messages which match)
if $msg contains 'D-Link' then /var/log/dlink.log (log messages containing D-Link in dlink.log)
So.... Maybe you should post a copy of the entries that are filling up your /var/log/messages file?
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 03:58 PM
"Bob Goodwin - Zuni, Virginia, USA"
Save rsyslog data -
On 20/08/12 11:42, Ed Greshko responds:
On 08/20/2012 11:29 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
It doesn't seem to accept double quotes, single still yields an
error message.
[bobg@box9 ~]$ cat /var/log/tomato.log
Aug 20 11:02:27 box9 rsyslogd: the last error occured in
/etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal,
'192.168.1.9' /var/log/tomato.log"
Well... All I can say at this point is....
1. I don't use :source
2. I log info from my dlink in a file which is not /var/log/messages and that is what I think you are trying to do.
3. These work just fine for me....
if $msg contains 'from 192.168.0.18' then ~ (discard messages which match)
if $msg contains 'D-Link' then /var/log/dlink.log (log messages containing D-Link in dlink.log)
Aug 20 11:52:49 box9 dbus-daemon[584]: ** Message: No devices in use, exit
Aug 20 11:52:55 localhost kernel: ACCEPT IN=br0 OUT=vlan1
SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=58958 DF PROTO=TCP SPT=54393 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
OPT (020405B40402080A01BB3D530000000001030307)
Aug 20 11:52:55 localhost rstats[3474]: Problem loading /home/bobg/Ulog.
Still trying...
Aug 20 11:53:08 localhost kernel: ACCEPT IN=br0 OUT=vlan1
SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=40904 DF PROTO=TCP SPT=54394 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
OPT (020405B40402080A01BB68E30000000001030307)
--
http://www.qrz.com/db/W2BOD
box9
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 04:07 PM
Ed Greshko
Save rsyslog data -
On 08/20/2012 11:58 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
> [root@box9 bobg]# cat /var/log/messages
>
> ................ snip a few megs ................
>
> Aug 20 11:52:44 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=3031 DF PROTO=TCP SPT=54392 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB124B0000000001030307)
> Aug 20 11:52:49 box9 dbus-daemon[584]: ** Message: No devices in use, exit
> Aug 20 11:52:55 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58958 DF PROTO=TCP SPT=54393 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB3D530000000001030307)
> Aug 20 11:52:55 localhost rstats[3474]: Problem loading /home/bobg/Ulog. Still trying...
> Aug 20 11:53:08 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=40904 DF PROTO=TCP SPT=54394 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB68E30000000001030307)
It was my understanding that you were trying to shunt log entries sent by your "router" to a file different than /var/log/messages.
What you are showing are logs generated by your "localhost" that are created by iptables. You seem to have a rule set up to log entries with "ACCEPT" which is certain to fill up your log files.
I think your "problem" is really in your iptables setup and nothing to do with rsyslog.
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 04:17 PM
"Bob Goodwin - Zuni, Virginia, USA"
Save rsyslog data -
On 20/08/12 12:07, Ed Greshko responds:
It was my understanding that you were trying to shunt log entries sent by your "router" to a file different than /var/log/messages.
What you are showing are logs generated by your "localhost" that are created by iptables. You seem to have a rule set up to log entries with "ACCEPT" which is certain to fill up your log files.
I think your "problem" is really in your iptables setup and nothing to do with rsyslog.
Ok, but I Have not intentionally done anything to accomplish that. This
must result from tomato's logging? It' internal log displays:
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 04:28 PM
Ed Greshko
Save rsyslog data -
On 08/21/2012 12:17 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
> Ok, but I Have not intentionally done anything to accomplish that. This must result from tomato's logging? It' internal log displays:
>
> ............ snip ............
>
>> Aug 20 12:12:09 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63002 DF PROTO=TCP SPT=54721 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CCD3640000000001030307)
"tomato" is your router, right? Not a Fedora machine, right?
Those log entries are being written by "localhost". They are iptables log entries. Now, I see you having 2 choices.....
1. You could post your iptables rules and and have someone debug them. (Sleep time for me, and not an iptables expert.
2. Mask the problem by adding:
:msg, contains, "ACCEPT IN" ~
to your /etc/rsyslog.conf in the appropriate place....or in a /etc/rsyslog.d/maskmyproblem.conf file.
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 04:36 PM
"Bob Goodwin - Zuni, Virginia, USA"
Save rsyslog data -
On 20/08/12 12:28, Ed Greshko responds:
"tomato" is your router, right? Not a Fedora machine, right?
Those log entries are being written by "localhost". They are iptables log entries. Now, I see you having 2 choices.....
1. You could post your iptables rules and and have someone debug them. (Sleep time for me, and not an iptables expert.
2. Mask the problem by adding:
:msg, contains, "ACCEPT IN" ~
to your /etc/rsyslog.conf in the appropriate place....or in a /etc/rsyslog.d/maskmyproblem.conf file.
System information under status says:
System
Name tomato
Model Linksys WRT54G/GS/GL
Time Mon, 20 Aug 2012 12:33:00 -0400
Uptime 1 day, 23:14:16
CPU Load (1 / 5 / 15 mins) 0.01 / 0.01 / 0.00
Total / Free Memory 14.19
Anyway thanks for the help and good night, I know that it's 12 hours
later there.
Bob
--
http://www.qrz.com/db/W2BOD
box9
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
08-20-2012, 04:43 PM
Ed Greshko
Save rsyslog data -
On 08/21/2012 12:36 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
> System information under status says:
>
> System
> Name tomato
> Model Linksys WRT54G/GS/GL
> Time Mon, 20 Aug 2012 12:33:00 -0400
> Uptime 1 day, 23:14:16
> CPU Load (1 / 5 / 15 mins) 0.01 / 0.01 / 0.00
> Total / Free Memory 14.19
>
>
> Anyway thanks for the help and good night, I know that it's 12 hours later there.
Your welcome....
FWIW, the messages your showing are *not* being *sent* by your Linksys router. 192.168.1.9 may be the IP address of that router..... BUT, the SRC is simply a portion of the message that iptables is logging and has nothing to do with :source in rsyslog.
So..... to stop filling up you logs you'll either have to address your logging problem in iptables or mask that problem. (I've never been a fan of masking problems...)
On the system with the logs filling up.... You may want to do something like "iptables -L | grep -i log" to see what is being sent to the logs. You certainly don't want to see the word "ACCEPT".
00:42 .... G'nite
--
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rick Cook, The Wizardry Compiled
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
Save rsyslog data -
