Just a quick addition: if the config options that David gave don't work, try preceding the message with a space, like:
:msg, startswith, ' DHCPINFORM' ~ More information about this behavior can be found here: http://www.rsyslog.com/log-normalization-and-the-leading-space/ Best regards, Radu 2013/9/2 David Lang <[email protected]> > what version are you running? > > are there any dhcp logs that you care about? > > :msg, startswith, 'DHCPINFORM' ~ > :msg, startswith, 'DHCPDISCOVER' ~ > :msg, startswith, 'DHCPREQUEST' ~ > > this will eliminate all the dhcp messages you list. I also _strongly_ > recommend disabling the repeated message option (you need to do that on the > sending machine as well) to eliminate the 'last message repeated' lines, > which are pretty worthless > > > I'll tale a look at your attachment later today if I can. > > David Lang > > On Mon, 2 Sep 2013, Mayur Patil wrote: > > Date: Mon, 2 Sep 2013 12:56:26 +0530 >> From: Mayur Patil <[email protected]> >> To: rsyslog-users <[email protected]>, David Lang <[email protected]> >> Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp messages & >> firewall disturbance >> >> >> Hello David sir, >> >> Thanks for the help and sorry for late reply. >> >> Please have a look at the logs that I want to avoid >> >> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown >> subnet for client address 10.1.53.58 >> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown >> subnet for client address 10.1.53.58 >> Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: unknown >> subnet for client address 10.1.55.55 >> Sep 2 12:39:26 clc dhcpd: last message repeated 3 times >> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: unknown >> subnet for client address 10.1.54.159 >> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: unknown >> subnet for client address 10.1.54.159 >> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: unknown >> subnet for client address 10.1.53.177 >> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: unknown >> subnet for client address 10.1.53.177 >> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown >> subnet for client address 10.1.54.45 >> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown >> subnet for client address 10.1.54.45 >> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown >> subnet for client address 10.1.55.31 >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown >> subnet for client address 10.1.55.31 >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown >> subnet for client address 10.1.54.55 >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown >> subnet for client address 10.1.54.55 >> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via eth0: >> network euca: no free leases >> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via eth0: >> network euca: no free leases >> >> The pattern I observe is each message repeated two times. >> >> This is my rSyslog SERVER conf file http://fpaste.org/36428/ >> >> I am using the firewall GUI on the rSyslog server. >> >> For incoming traffic policy, >> >> I have allowed the firewall ports as per the screenshot; please find >> attachment. >> >> Seeking for guidance, >> >> Thanks !! >> >> *-- >> * >> *Cheers, >> Mayur* >> >> >> >> >> On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote: >> >> the best way is to put a filter on your central server that detects these >>> messages that you don't care about and discards them (the 'stop' action >>> on >>> 7.x or the '~' action on earlier versions) >>> >>> if you post a sample of the logs that you don't care about, we may be >>> able >>> to help you craft the filters. >>> >>> as for your firewall problem, we would have to see what rules you are >>> putting in your firewall, and how you are forwarding the messages. If you >>> are using @ for your forwarding, you need to allow UDP 514 on your >>> server, >>> but once you do that it eill work. >>> >>> David Lang >>> >>> >>> >>> On Fri, 30 Aug 2013, Mayur Patil wrote: >>> >>> Hello All, >>> >>>> >>>> [1] I have configured my three machines for rsyslog exportation to >>>> remote >>>> >>>> server. My syslog file size has crossed over 150 MB which >>>> consists >>>> of >>>> >>>> useless dhcpd requests. I want to know is there any reliable way >>>> to >>>> stop >>>> >>>> dhcp logging ? I googled but not found satisfactory solution. >>>> >>>> [2] I am unable to export logs on rSyslog server if I enable firewall. >>>> Though I >>>> >>>> allow syslog and required services port to allowed inbound >>>> traffic >>>> policy >>>> >>>> I am unable to get logs on server. This could be possible iff I >>>> disable the >>>> >>>> firewall. What is going wrong?? >>>> >>>> Seeking for guidance, >>>> >>>> Thanks ! >>>> >>>> >>>> ______________________________**_________________ >>>> >>> rsyslog mailing list >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
