Hi, Thanks David and Radu sir.
I will try this and report ASAP. Thanks for the help !! On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <[email protected]>wrote: > Just a quick addition: if the config options that David gave don't work, > try preceding the message with a space, like: > > :msg, startswith, ' DHCPINFORM' ~ > > > More information about this behavior can be found here: > http://www.rsyslog.com/log-normalization-and-the-leading-space/ > > Best regards, > Radu > > > 2013/9/2 David Lang <[email protected]> > > > what version are you running? > > > > are there any dhcp logs that you care about? > > > > :msg, startswith, 'DHCPINFORM' ~ > > :msg, startswith, 'DHCPDISCOVER' ~ > > :msg, startswith, 'DHCPREQUEST' ~ > > > > this will eliminate all the dhcp messages you list. I also _strongly_ > > recommend disabling the repeated message option (you need to do that on > the > > sending machine as well) to eliminate the 'last message repeated' lines, > > which are pretty worthless > > > > > > I'll tale a look at your attachment later today if I can. > > > > David Lang > > > > On Mon, 2 Sep 2013, Mayur Patil wrote: > > > > Date: Mon, 2 Sep 2013 12:56:26 +0530 > >> From: Mayur Patil <[email protected]> > >> To: rsyslog-users <[email protected]>, David Lang < > [email protected]> > >> Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp messages > & > >> firewall disturbance > >> > >> > >> Hello David sir, > >> > >> Thanks for the help and sorry for late reply. > >> > >> Please have a look at the logs that I want to avoid > >> > >> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown > >> subnet for client address 10.1.53.58 > >> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown > >> subnet for client address 10.1.53.58 > >> Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: unknown > >> subnet for client address 10.1.55.55 > >> Sep 2 12:39:26 clc dhcpd: last message repeated 3 times > >> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: unknown > >> subnet for client address 10.1.54.159 > >> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: unknown > >> subnet for client address 10.1.54.159 > >> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: unknown > >> subnet for client address 10.1.53.177 > >> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: unknown > >> subnet for client address 10.1.53.177 > >> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown > >> subnet for client address 10.1.54.45 > >> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown > >> subnet for client address 10.1.54.45 > >> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from > >> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. > >> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from > >> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. > >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown > >> subnet for client address 10.1.55.31 > >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown > >> subnet for client address 10.1.55.31 > >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown > >> subnet for client address 10.1.54.55 > >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown > >> subnet for client address 10.1.54.55 > >> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via eth0: > >> network euca: no free leases > >> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via eth0: > >> network euca: no free leases > >> > >> The pattern I observe is each message repeated two times. > >> > >> This is my rSyslog SERVER conf file http://fpaste.org/36428/ > >> > >> I am using the firewall GUI on the rSyslog server. > >> > >> For incoming traffic policy, > >> > >> I have allowed the firewall ports as per the screenshot; please find > >> attachment. > >> > >> Seeking for guidance, > >> > >> Thanks !! > >> > >> *-- > >> * > >> *Cheers, > >> Mayur* > >> > >> > >> > >> > >> On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote: > >> > >> the best way is to put a filter on your central server that detects > these > >>> messages that you don't care about and discards them (the 'stop' action > >>> on > >>> 7.x or the '~' action on earlier versions) > >>> > >>> if you post a sample of the logs that you don't care about, we may be > >>> able > >>> to help you craft the filters. > >>> > >>> as for your firewall problem, we would have to see what rules you are > >>> putting in your firewall, and how you are forwarding the messages. If > you > >>> are using @ for your forwarding, you need to allow UDP 514 on your > >>> server, > >>> but once you do that it eill work. > >>> > >>> David Lang > >>> > >>> > >>> > >>> On Fri, 30 Aug 2013, Mayur Patil wrote: > >>> > >>> Hello All, > >>> > >>>> > >>>> [1] I have configured my three machines for rsyslog exportation to > >>>> remote > >>>> > >>>> server. My syslog file size has crossed over 150 MB which > >>>> consists > >>>> of > >>>> > >>>> useless dhcpd requests. I want to know is there any reliable > way > >>>> to > >>>> stop > >>>> > >>>> dhcp logging ? I googled but not found satisfactory > solution. > >>>> > >>>> [2] I am unable to export logs on rSyslog server if I enable > firewall. > >>>> Though I > >>>> > >>>> allow syslog and required services port to allowed inbound > >>>> traffic > >>>> policy > >>>> > >>>> I am unable to get logs on server. This could be possible iff I > >>>> disable the > >>>> > >>>> firewall. What is going wrong?? > >>>> > >>>> Seeking for guidance, > >>>> > >>>> Thanks ! > >>>> > >>>> > >>>> ______________________________**_________________ > >>>> > >>> rsyslog mailing list > >>> http://lists.adiscon.net/**mailman/listinfo/rsyslog< > http://lists.adiscon.net/mailman/listinfo/rsyslog> > >>> http://www.rsyslog.com/**professional-services/< > http://www.rsyslog.com/professional-services/> > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T LIKE THAT. > >>> > >>> > >> ______________________________**_________________ > > rsyslog mailing list > > http://lists.adiscon.net/**mailman/listinfo/rsyslog< > http://lists.adiscon.net/mailman/listinfo/rsyslog> > > http://www.rsyslog.com/**professional-services/< > http://www.rsyslog.com/professional-services/> > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> <https://plus.google.com/u/0/107426396312814346345/about>* <https://myspace.com/mayurram>* <https://github.com/ramlaxman> _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
