Normally when I want to do something other than the “standard” thing with logging, I replace whatever came with the server with syslog-ng, but I’ve just had an urgent need to do something with rsyslog. Specifically exclude any messages with reference to a certain card that was generating “corrected” errors at a vast frequency … enough that my /var filesystem was filling up regularly.
Turns out to be surprisingly easy, if you figure out how to get rsyslogd to read the updated configuration.
First the rule :-
:msg, contains, "pcieport 0000:00:09.0" ~
This more or less translates as look for the string “pcieport …” in the complete message sent to syslog and if it appears then discard.
It turns out (quite sensibly) that this needs to appear before any rule sending messages off to a file to get stored for later. And of course the configuration file to edit was /etc/rsyslog.conf.
Before blindly restarting, it’s quite nice to have something that will check the syntax of what you’ve just written to make sure it is valid. Nobody gets this stuff right first time! Turns out there’s a simple way :-
# rsyslogd -f /etc/rsyslog.conf -N 1
Once that stopped giving an error, I needed to get the running daemon to accept configuration changes. It seems that whilst it accepts SIGHUP, it perhaps does not re-read the configuration file so a full restart is necessary :-
# /etc/init.d/rsyslog restart