what version are you running?
are there any dhcp logs that you care about?
:msg, startswith, 'DHCPINFORM' ~
:msg, startswith, 'DHCPDISCOVER' ~
:msg, startswith, 'DHCPREQUEST' ~
this will eliminate all the dhcp messages you list. I also _strongly_ recommend
disabling the repeated message option (you need to do that on the sending
machine as well) to eliminate the 'last message repeated' lines, which are
pretty worthless
I'll tale a look at your attachment later today if I can.
David Lang
On Mon, 2 Sep 2013, Mayur Patil wrote:
Date: Mon, 2 Sep 2013 12:56:26 +0530
From: Mayur Patil <[email protected]>
To: rsyslog-users <[email protected]>, David Lang <[email protected]>
Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp messages &
firewall disturbance
Hello David sir,
Thanks for the help and sorry for late reply.
Please have a look at the logs that I want to avoid
Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown
subnet for client address 10.1.53.58
Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown
subnet for client address 10.1.53.58
Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: unknown
subnet for client address 10.1.55.55
Sep 2 12:39:26 clc dhcpd: last message repeated 3 times
Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: unknown
subnet for client address 10.1.54.159
Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: unknown
subnet for client address 10.1.54.159
Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: unknown
subnet for client address 10.1.53.177
Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: unknown
subnet for client address 10.1.53.177
Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown
subnet for client address 10.1.54.45
Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown
subnet for client address 10.1.54.45
Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown
subnet for client address 10.1.55.31
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown
subnet for client address 10.1.55.31
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown
subnet for client address 10.1.54.55
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown
subnet for client address 10.1.54.55
Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via eth0:
network euca: no free leases
Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via eth0:
network euca: no free leases
The pattern I observe is each message repeated two times.
This is my rSyslog SERVER conf file http://fpaste.org/36428/
I am using the firewall GUI on the rSyslog server.
For incoming traffic policy,
I have allowed the firewall ports as per the screenshot; please find
attachment.
Seeking for guidance,
Thanks !!
*--
*
*Cheers,
Mayur*
On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote:
the best way is to put a filter on your central server that detects these
messages that you don't care about and discards them (the 'stop' action on
7.x or the '~' action on earlier versions)
if you post a sample of the logs that you don't care about, we may be able
to help you craft the filters.
as for your firewall problem, we would have to see what rules you are
putting in your firewall, and how you are forwarding the messages. If you
are using @ for your forwarding, you need to allow UDP 514 on your server,
but once you do that it eill work.
David Lang
On Fri, 30 Aug 2013, Mayur Patil wrote:
Hello All,
[1] I have configured my three machines for rsyslog exportation to
remote
server. My syslog file size has crossed over 150 MB which consists
of
useless dhcpd requests. I want to know is there any reliable way to
stop
dhcp logging ? I googled but not found satisfactory solution.
[2] I am unable to export logs on rSyslog server if I enable firewall.
Though I
allow syslog and required services port to allowed inbound traffic
policy
I am unable to get logs on server. This could be possible iff I
disable the
firewall. What is going wrong??
Seeking for guidance,
Thanks !
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
