Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 04-20-2012, 03:58 AM   #1
Registered: Apr 2012
Posts: 36

Rep: Reputation: 0
Discard message on Rsyslog

Hi all,

I am using Rsyslog 5.8.7
I already received all message from remote hosts
But now, i am very confused in discard message configure.
I do as below:
####Discard Message
:msg, contains, "861: NT AUTHORITY\SYSTEM: The Windows Firewall has detected an application listening for incoming traffic" ~

# Store all log files in MySQL DB  :

*.*        :ommysql:,Syslog,rsyslog,mypassword
But not discard unwanted message
Now i am very stuck.
Anyone help me this??
If I can provide you with any further information, please let me know.
Any feedback is appreciate

Best regards,
Old 04-20-2012, 06:56 AM   #2
Satyaveer Arya
Senior Member
Registered: May 2010
Location: Palm Island
Distribution: RHEL, CentOS, Debian, Oracle Solaris 10
Posts: 1,415

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
Checkout these links, if it helps you:
Old 04-20-2012, 08:18 PM   #3
Registered: Apr 2012
Posts: 36

Original Poster
Rep: Reputation: 0
Hi Arya,

This is completed my rsyslog configuration:
I also tried many ways, but did not discard.

$PStatsInterval 300 /var/log/rsyslog-stats

#--------------------------------------------------This line is comment
$ModLoad # provides --MARK-- message capability
$ModLoad # provides support for local system logging (via logger command)
$ModLoad # provides kernel logging support (previously done by rklogd)

#--------------------------------------------------This line is comment
$ModLoad # provides UDP syslog reception
$UDPServerAddress * # all local interfaces
$UDPServerRun 514 # start UDP server (log server receiver)

#--------------------------------------------------This line is comment
$ModLoad # provides TCP syslog reception and GSS-API (if compiled)
$InputTCPServerRun 514 # start TCP server (log server receiver)

#--------------------------------------------------This line is comment
$ModLoad # RELP input
$InputRELPServerRun 20514 # start RELP Protocol

#--------------------------------------------------This line is comment
$ModLoad # Text file input
$InputFileName /var/log/i-am-a-text-file.log
$InputFileTag my-text-file:
$InputFileStateFile stat-file1
$InputFileSeverity error
$InputFileFacility local7
$InputFilePollInterval 10 # check for new lines every 10 seconds

#--------------------------------------------------This line is comment
$ModLoad # Log to MySQL

#--------------------------------------------------This line is comment
$ModLoad # Send to another host via RELP

# Globals -----------------------------------------This line is comment
$umask 0000
$DirCreateMode 0640
$FileCreateMode 0640
$RepeatedMsgReduction on

$WorkDirectory /var/log/rsyslog # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName queue # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$MainMsgQueueMaxFileSize 100M
$ActionQueueMaxFileSize 5M

# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

# a template useful for debugging format issues
$template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"

# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"

# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"

$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):

$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, EventLogType, EventID) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql

$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"

####Discard Message
:msg, contains, "861: NT AUTHORITY\SYSTEM:" ~
:msg, !contains, "861: NT AUTHORITY\SYSTEM:" ~
:msg, startswith, "861: NT AUTHORITY\SYSTEM:" ~

# Store all log files in MySQL DB :
*.* mmysql:,Syslog,rsyslog,mypassword
#--------------------------------------------------This line is comment

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console;TraditionalFileFormat

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages;TraditionalFormat

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

#--------------------------------------------------This line is comment
$IncludeConfig /etc/rsyslog.d/*.conf[/I]

Where i am wrong, how to confifure it???
Any help is appreciate.

Best regards,

Last edited by trungmv; 04-21-2012 at 02:28 AM.
Old 04-26-2012, 05:07 AM   #4
Registered: Apr 2012
Posts: 36

Original Poster
Rep: Reputation: 0
Any one can help me??



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Find and discard capellone Programming 1 12-03-2010 07:40 AM
[SOLVED] bash: how to discard unwanted stdin? catkin Programming 12 06-24-2010 09:30 PM
[SOLVED] Discard short lines? danielbmartin Linux - Newbie 5 04-25-2010 09:11 PM
Random packet discard usman_minhas Programming 2 05-12-2009 02:07 AM
How to discard mail by any user in sendmail er_gaurav22 Linux - Server 2 11-09-2007 05:04 AM

All times are GMT -5. The time now is 05:42 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration