{"id":2867,"date":"2013-04-25T00:37:40","date_gmt":"2013-04-25T00:37:40","guid":{"rendered":"http:\/\/really.zonky.org\/?p=2867"},"modified":"2013-04-25T00:37:40","modified_gmt":"2013-04-25T00:37:40","slug":"discarding-log-messages-with-rsyslogd","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=2867","title":{"rendered":"Discarding Log Messages with rsyslogd"},"content":{"rendered":"<p>Normally when I want to do something other than the &#8220;standard&#8221; thing with logging, I replace whatever came with the server with <a href=\"http:\/\/en.wikipedia.org\/wiki\/Syslog-ng\">syslog-ng<\/a>, but I&#8217;ve just had an urgent need to do something with <a href=\"http:\/\/en.wikipedia.org\/wiki\/Rsyslog\">rsyslog<\/a>. Specifically exclude any messages with reference to a certain card that was generating &#8220;corrected&#8221; errors at a vast frequency &#8230; enough that my\u00a0<em>\/var<\/em> filesystem was filling up regularly.<\/p>\n<p>Turns out to be surprisingly easy,\u00a0<em>if<\/em> you figure out how to get\u00a0<em>rsyslogd<\/em> to read the updated configuration.<\/p>\n<p>First the rule :-<\/p>\n<pre>:msg, contains, \"pcieport 0000:00:09.0\" ~<\/pre>\n<p>This more or less translates as look for the string &#8220;pcieport &#8230;&#8221; in the complete message sent to syslog and if it appears then <em>discard<\/em>.<\/p>\n<p>It turns out (quite sensibly) that this needs to appear before any rule sending messages off to a file to get stored for later. And of course the configuration file to edit was\u00a0<em>\/etc\/rsyslog.conf.<\/em><\/p>\n<p>Before blindly restarting, it&#8217;s quite nice to have something that will check the syntax of what you&#8217;ve just written to make sure it is valid. Nobody gets this stuff right first time! Turns out there&#8217;s a simple way :-<\/p>\n<pre># rsyslogd -f \/etc\/rsyslog.conf -N 1<\/pre>\n<p>Once that stopped giving an error, I needed to get the running daemon to accept configuration changes. It seems that whilst it accepts SIGHUP, it perhaps does not re-read the configuration file so a full restart is necessary :-<\/p>\n<pre># \/etc\/init.d\/rsyslog restart<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Normally when I want to do something other than the &#8220;standard&#8221; thing with logging, I replace whatever came with the server with syslog-ng, but I&#8217;ve just had an urgent need to do something with rsyslog. Specifically exclude any messages with reference to a certain card that was generating &#8220;corrected&#8221; errors at a vast frequency &#8230; <a href='https:\/\/really.zonky.org\/?p=2867' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[4,226],"tags":[1096,1094,1095],"class_list":["post-2867","post","type-post","status-publish","format-standard","hentry","category-it","category-working-notes","tag-discard","tag-logging","tag-rsyslog","category-4-id","category-226-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-Kf","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/2867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2867"}],"version-history":[{"count":1,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/2867\/revisions"}],"predecessor-version":[{"id":2868,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/2867\/revisions\/2868"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}