hi, using the rsyslog that comes with centos 6.5 (v5) I try to discard messages but not really working.
The lines I do not want to save are like this: Oct 23 19:02:27 apachetest01 cfengine:apachetest01[21937]: #012Executing script /usr/bin/rsync -a --delete --password-file=/whatever user@rsynchost::cfengine_prod /rsyncdata...(timeout=0,uid=-1,gid=-1) Oct 23 19:02:27 apachetest01[21937]: Finished script /usr/bin/rsync -a --delete --password-file=/whatever user@rsynchost::cfengine_prod /rsyncdata And this is my rsyslogd.conf #### MODULES #### # provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # provides kernel logging support (previously done by rklogd) $ModLoad imklog # provides --MARK-- message capability $ModLoad immark # provides file input support $ModLoad imfile # spool dir $WorkDirectory /var/lib/rsyslog # Asynchronous Forwarding Mechanism $ActionQueueType LinkedList # Enable disk mode queue $ActionQueueFileName centralwork # Infinite Retries $ActionResumeRetryCount -1 # Save Queue on Exit for reprocessing $ActionQueueSaveOnShutdown on # CA cert $DefaultNetstreamDriverCAFile /etc/ipa/ca.crt # use gtls netstream driver $DefaultNetstreamDriver gtls # require TLS for the connection $ActionSendStreamDriverMode 1 # server is NOT authenticated $ActionSendStreamDriverAuthMode anon #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### if $programname contains 'cfengine' and $msg contains 'rsync' then ~ # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log ## Remote Logging with On Disk Queuring Enabled # Asynchronous Forwarding Mechanism $ActionQueueType LinkedList # Enable disk mode queue $ActionQueueFileName centralwork # Infinite Retries $ActionResumeRetryCount -1 # Save Queue on Exit for reprocessing $ActionQueueSaveOnShutdown on # File 1 $InputFileName /var/log/httpd/access_log $InputFileTag tag1: $InputFileStateFile stat-access_log $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor #$InputFilePollingInterval 10 # File 2 $InputFileName /var/log/httpd/error_log $InputFileTag tag2: $InputFileStateFile stat-error_log $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor #$InputFilePollingInterval 10 # Finally, send (all) messages *.* @@(o)syslogtest.domain.tld:6514 so the filter is: if $programname contains 'cfengine' and $msg contains 'rsync' then ~ but I have tried this to no avail: :msg, contains, 'rsync' ~ and lots of different combinations, I am a bit at a loss here. It should be an easy task but apparently I am able to mess it up. Does anyone spot the mistake? TIA, -- Groeten, natxo _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
