Hi, I have done config as per your said but when I create filter to stop receiving anyone of dhcp message i.e. dhcpdiscover, dhcprequest etc
it stops logging all components logs; thing to wonder is that I am using Static mode of networking then why I am facing such problems? Need guidance. Thanks ! * -- * *Cheers, Mayur* On Mon, Sep 2, 2013 at 6:08 PM, Mayur Patil <[email protected]>wrote: > Hi, > > Thanks David and Radu sir. > > I will try this and report ASAP. > > Thanks for the help !! > > > On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <[email protected]>wrote: > >> Just a quick addition: if the config options that David gave don't work, >> try preceding the message with a space, like: >> >> :msg, startswith, ' DHCPINFORM' ~ >> >> >> More information about this behavior can be found here: >> http://www.rsyslog.com/log-normalization-and-the-leading-space/ >> >> Best regards, >> Radu >> >> >> 2013/9/2 David Lang <[email protected]> >> >> > what version are you running? >> > >> > are there any dhcp logs that you care about? >> > >> > :msg, startswith, 'DHCPINFORM' ~ >> > :msg, startswith, 'DHCPDISCOVER' ~ >> > :msg, startswith, 'DHCPREQUEST' ~ >> > >> > this will eliminate all the dhcp messages you list. I also _strongly_ >> > recommend disabling the repeated message option (you need to do that on >> the >> > sending machine as well) to eliminate the 'last message repeated' lines, >> > which are pretty worthless >> > >> > >> > I'll tale a look at your attachment later today if I can. >> > >> > David Lang >> > >> > On Mon, 2 Sep 2013, Mayur Patil wrote: >> > >> > Date: Mon, 2 Sep 2013 12:56:26 +0530 >> >> From: Mayur Patil <[email protected]> >> >> To: rsyslog-users <[email protected]>, David Lang < >> [email protected]> >> >> Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp >> messages & >> >> firewall disturbance >> >> >> >> >> >> Hello David sir, >> >> >> >> Thanks for the help and sorry for late reply. >> >> >> >> Please have a look at the logs that I want to avoid >> >> >> >> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown >> >> subnet for client address 10.1.53.58 >> >> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown >> >> subnet for client address 10.1.53.58 >> >> Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: unknown >> >> subnet for client address 10.1.55.55 >> >> Sep 2 12:39:26 clc dhcpd: last message repeated 3 times >> >> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: >> unknown >> >> subnet for client address 10.1.54.159 >> >> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: >> unknown >> >> subnet for client address 10.1.54.159 >> >> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: >> unknown >> >> subnet for client address 10.1.53.177 >> >> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: >> unknown >> >> subnet for client address 10.1.53.177 >> >> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown >> >> subnet for client address 10.1.54.45 >> >> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown >> >> subnet for client address 10.1.54.45 >> >> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >> >> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >> >> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >> >> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >> >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown >> >> subnet for client address 10.1.55.31 >> >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown >> >> subnet for client address 10.1.55.31 >> >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown >> >> subnet for client address 10.1.54.55 >> >> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown >> >> subnet for client address 10.1.54.55 >> >> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via >> eth0: >> >> network euca: no free leases >> >> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via >> eth0: >> >> network euca: no free leases >> >> >> >> The pattern I observe is each message repeated two times. >> >> >> >> This is my rSyslog SERVER conf file http://fpaste.org/36428/ >> >> >> >> I am using the firewall GUI on the rSyslog server. >> >> >> >> For incoming traffic policy, >> >> >> >> I have allowed the firewall ports as per the screenshot; please find >> >> attachment. >> >> >> >> Seeking for guidance, >> >> >> >> Thanks !! >> >> >> >> *-- >> >> * >> >> *Cheers, >> >> Mayur* >> >> >> >> >> >> >> >> >> >> On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote: >> >> >> >> the best way is to put a filter on your central server that detects >> these >> >>> messages that you don't care about and discards them (the 'stop' >> action >> >>> on >> >>> 7.x or the '~' action on earlier versions) >> >>> >> >>> if you post a sample of the logs that you don't care about, we may be >> >>> able >> >>> to help you craft the filters. >> >>> >> >>> as for your firewall problem, we would have to see what rules you are >> >>> putting in your firewall, and how you are forwarding the messages. If >> you >> >>> are using @ for your forwarding, you need to allow UDP 514 on your >> >>> server, >> >>> but once you do that it eill work. >> >>> >> >>> David Lang >> >>> >> >>> >> >>> >> >>> On Fri, 30 Aug 2013, Mayur Patil wrote: >> >>> >> >>> Hello All, >> >>> >> >>>> >> >>>> [1] I have configured my three machines for rsyslog exportation to >> >>>> remote >> >>>> >> >>>> server. My syslog file size has crossed over 150 MB which >> >>>> consists >> >>>> of >> >>>> >> >>>> useless dhcpd requests. I want to know is there any reliable >> way >> >>>> to >> >>>> stop >> >>>> >> >>>> dhcp logging ? I googled but not found satisfactory >> solution. >> >>>> >> >>>> [2] I am unable to export logs on rSyslog server if I enable >> firewall. >> >>>> Though I >> >>>> >> >>>> allow syslog and required services port to allowed inbound >> >>>> traffic >> >>>> policy >> >>>> >> >>>> I am unable to get logs on server. This could be possible iff I >> >>>> disable the >> >>>> >> >>>> firewall. What is going wrong?? >> >>>> >> >>>> Seeking for guidance, >> >>>> >> >>>> Thanks ! >> >>>> >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
