rsyslog incorrectly logging to /etc/messages
I have a Debian Wheezy system (3.2.0-4-kirkwood) which is logging cron messages incorrectly. The messages are appearing in /var/log/cron but also appearing in /var/log/messages.
If I understand rsyslog.conf correctly, the earlier rules specific to cron, e.g., "if $programname contains 'cron' then ..." should override default logging, and the tilde action should stop rsyslog evaluation at that point so that no default logging occurs.
I'd be glad if anyone can offer insight into this issue.
-------------------------------
tail /var/log/messages:
Jul 28 12:43:01 /USR/SBIN/CRON[18940]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 28 20:43:01 /USR/SBIN/CRON[18951]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 04:43:01 /USR/SBIN/CRON[19023]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 06:25:01 /USR/SBIN/CRON[19035]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Jul 29 12:43:01 /USR/SBIN/CRON[19105]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 20:43:01 /USR/SBIN/CRON[19115]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 21:40:01 /usr/sbin/cron[1647]: (*system*) RELOAD (/etc/crontab)
Jul 30 04:43:01 /USR/SBIN/CRON[19158]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 30 06:25:01 /USR/SBIN/CRON[19165]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Jul 30 16:43:01 /USR/SBIN/CRON[19242]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
------------------------------
/etc/rsyslog.conf:
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# NOTE: This file is processed TOP TO BOTTOM
# CUSTOM logging must occur before DEFAULT
# ================================================
# LOAD MODULES
# ================================================
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
# Do NOT log timestamp MARK messages
# $ModLoad immark # provides --MARK-- message capability
# ================================================
# LOGGING FORMAT
# ================================================
$template MCustom,"%timegenerated% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate MCustom
# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# $ActionFileDefaultTemplate RSYSLOG_DebugFormat
# ================================================
# GLOBAL DIRECTIVES
# ================================================
# Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
# ================================================
# CUSTOMIZED LOGGING
# ================================================
# Log cron into its own file
if $programname contains 'cron' then /var/log/cron
if $programname contains 'cron' then ~
if $programname contains 'CRON' then /var/log/cron
if $programname contains 'CRON' then ~
# if $programname == '/usr/sbin/cron' then /var/log/cron
# if $programname == '/usr/sbin/cron' then ~
# Log user logins, no matter where, into their own file
if $programname == 'login' then /var/log/logins
if $programname == 'login' then ~
# Log ntpdate into its own file
if $programname == 'ntpdate' then /var/log/ntp
if $programname == 'ntpdate' then ~
# Customized nonlogging for pam security
if $programname == 'su' and $msg contains 'pam_unix' then ~
if $programname == 'login' and $msg contains 'pam_unix' then ~
# Log Qpopper/popper into its own file
if $programname == 'popper' then /var/log/popper
if $programname == 'popper' then ~
# Log sftp into its own file
if $programname == 'sftp-server' then /var/log/sftp
if $programname == 'sftp-server' then ~
# Log ssh into its own file
if $programname == 'sshd' then /var/log/ssh
if $programname == 'sshd' then ~
# Log su into its own file
if $programname == 'su' then /var/log/su
if $programname == 'su' then ~
# Log mail reject messages to their own file
if $programname contains 'postfix' and $msg contains 'NOQUEUE' then /var/log/mail.err
if $programname contains 'postfix' and $msg contains 'NOQUEUE' then ~
# Log mail warning messages to their own file
if $programname contains 'postfix' and $msg contains 'warning:' then /var/log/mail.warn
if $programname contains 'postfix' and $msg contains 'warning:' then ~
# Log all other mail messages to the main mail file
if $programname contains 'postfix' then /var/log/mail
if $programname contains 'postfix' then ~
# ================================================
# DISCARD MESSAGES
# ================================================
:msg, contains, "User unknown in local recipient" ~
# ================================================
# DEFAULT LOGGING
# ================================================
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Cron logging
cron.* /var/log/cron
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.=warn /var/log/mail.warn
mail.*;mail.!=warn /var/log/mail
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot
|