LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-30-2014, 03:24 PM   #1
StirlingEngine
LQ Newbie
 
Registered: Jul 2014
Posts: 7

Rep: Reputation: Disabled
rsyslog incorrectly logging to /etc/messages


I have a Debian Wheezy system (3.2.0-4-kirkwood) which is logging cron messages incorrectly. The messages are appearing in /var/log/cron but also appearing in /var/log/messages.

If I understand rsyslog.conf correctly, the earlier rules specific to cron, e.g., "if $programname contains 'cron' then ..." should override default logging, and the tilde action should stop rsyslog evaluation at that point so that no default logging occurs.

I'd be glad if anyone can offer insight into this issue.

-------------------------------

tail /var/log/messages:

Jul 28 12:43:01 /USR/SBIN/CRON[18940]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 28 20:43:01 /USR/SBIN/CRON[18951]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 04:43:01 /USR/SBIN/CRON[19023]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 06:25:01 /USR/SBIN/CRON[19035]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Jul 29 12:43:01 /USR/SBIN/CRON[19105]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 20:43:01 /USR/SBIN/CRON[19115]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 29 21:40:01 /usr/sbin/cron[1647]: (*system*) RELOAD (/etc/crontab)
Jul 30 04:43:01 /USR/SBIN/CRON[19158]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)
Jul 30 06:25:01 /USR/SBIN/CRON[19165]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ))
Jul 30 16:43:01 /USR/SBIN/CRON[19242]: (root) CMD ( ntpdate -s 0.us.pool.ntp.org)

------------------------------

/etc/rsyslog.conf:

# /etc/rsyslog.conf Configuration file for rsyslog.
#
# NOTE: This file is processed TOP TO BOTTOM
# CUSTOM logging must occur before DEFAULT


# ================================================
# LOAD MODULES
# ================================================

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
# Do NOT log timestamp MARK messages
# $ModLoad immark # provides --MARK-- message capability


# ================================================
# LOGGING FORMAT
# ================================================

$template MCustom,"%timegenerated% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate MCustom
# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# $ActionFileDefaultTemplate RSYSLOG_DebugFormat


# ================================================
# GLOBAL DIRECTIVES
# ================================================


# Set the default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog


# ================================================
# CUSTOMIZED LOGGING
# ================================================


# Log cron into its own file
if $programname contains 'cron' then /var/log/cron
if $programname contains 'cron' then ~
if $programname contains 'CRON' then /var/log/cron
if $programname contains 'CRON' then ~
# if $programname == '/usr/sbin/cron' then /var/log/cron
# if $programname == '/usr/sbin/cron' then ~

# Log user logins, no matter where, into their own file
if $programname == 'login' then /var/log/logins
if $programname == 'login' then ~

# Log ntpdate into its own file
if $programname == 'ntpdate' then /var/log/ntp
if $programname == 'ntpdate' then ~

# Customized nonlogging for pam security
if $programname == 'su' and $msg contains 'pam_unix' then ~
if $programname == 'login' and $msg contains 'pam_unix' then ~

# Log Qpopper/popper into its own file
if $programname == 'popper' then /var/log/popper
if $programname == 'popper' then ~

# Log sftp into its own file
if $programname == 'sftp-server' then /var/log/sftp
if $programname == 'sftp-server' then ~

# Log ssh into its own file
if $programname == 'sshd' then /var/log/ssh
if $programname == 'sshd' then ~

# Log su into its own file
if $programname == 'su' then /var/log/su
if $programname == 'su' then ~

# Log mail reject messages to their own file
if $programname contains 'postfix' and $msg contains 'NOQUEUE' then /var/log/mail.err
if $programname contains 'postfix' and $msg contains 'NOQUEUE' then ~

# Log mail warning messages to their own file
if $programname contains 'postfix' and $msg contains 'warning:' then /var/log/mail.warn
if $programname contains 'postfix' and $msg contains 'warning:' then ~

# Log all other mail messages to the main mail file
if $programname contains 'postfix' then /var/log/mail
if $programname contains 'postfix' then ~


# ================================================
# DISCARD MESSAGES
# ================================================

:msg, contains, "User unknown in local recipient" ~


# ================================================
# DEFAULT LOGGING
# ================================================


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Cron logging
cron.* /var/log/cron

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.=warn /var/log/mail.warn
mail.*;mail.!=warn /var/log/mail

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot
 
Old 07-30-2014, 04:36 PM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,270

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
This works for me:

Code:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# Log cron stuff
cron.*                                                  /var/log/cron
I think cron is a built-in facility, not just a program name, so it may be handled specially.
 
Old 07-30-2014, 04:59 PM   #3
StirlingEngine
LQ Newbie
 
Registered: Jul 2014
Posts: 7

Original Poster
Rep: Reputation: Disabled
Works perfectly. Thank you; this one had me scratching my head for the last week.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible to filter messages in rsyslog? ust Linux - Newbie 3 10-02-2013 05:21 AM
rsyslog filtering syslog messages sanjose Linux - Newbie 13 11-07-2012 04:08 PM
rsyslog not logging to a correct file packets Linux - Newbie 2 03-10-2012 09:11 AM
[SOLVED] syslog remote logging with rsyslog server Chenchu Linux - Newbie 3 09-17-2011 02:34 PM
Rsyslog not logging routers messages dman777 Linux - Software 9 01-31-2011 06:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration