It's really hard to diagnose your problem without you posting your config.
did you check to see if there are any error messages at startup that could
indicate that you have a typo in the config?
David Lang
On Tue, 3 Sep 2013, Mayur Patil wrote:
Hi,
I have done config as per your said but when I create filter to stop
receiving anyone of dhcp message i.e. dhcpdiscover, dhcprequest etc
it stops logging all components logs; thing to wonder is that I am using
Static mode of networking then why I am facing such problems?
Need guidance.
Thanks !
*
--
*
*Cheers,
Mayur*
On Mon, Sep 2, 2013 at 6:08 PM, Mayur Patil <[email protected]>wrote:
Hi,
Thanks David and Radu sir.
I will try this and report ASAP.
Thanks for the help !!
On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <[email protected]>wrote:
Just a quick addition: if the config options that David gave don't work,
try preceding the message with a space, like:
:msg, startswith, ' DHCPINFORM' ~
More information about this behavior can be found here:
http://www.rsyslog.com/log-normalization-and-the-leading-space/
Best regards,
Radu
2013/9/2 David Lang <[email protected]>
what version are you running?
are there any dhcp logs that you care about?
:msg, startswith, 'DHCPINFORM' ~
:msg, startswith, 'DHCPDISCOVER' ~
:msg, startswith, 'DHCPREQUEST' ~
this will eliminate all the dhcp messages you list. I also _strongly_
recommend disabling the repeated message option (you need to do that on
the
sending machine as well) to eliminate the 'last message repeated' lines,
which are pretty worthless
I'll tale a look at your attachment later today if I can.
David Lang
On Mon, 2 Sep 2013, Mayur Patil wrote:
Date: Mon, 2 Sep 2013 12:56:26 +0530
From: Mayur Patil <[email protected]>
To: rsyslog-users <[email protected]>, David Lang <
[email protected]>
Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp
messages &
firewall disturbance
Hello David sir,
Thanks for the help and sorry for late reply.
Please have a look at the logs that I want to avoid
Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown
subnet for client address 10.1.53.58
Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: unknown
subnet for client address 10.1.53.58
Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: unknown
subnet for client address 10.1.55.55
Sep 2 12:39:26 clc dhcpd: last message repeated 3 times
Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0:
unknown
subnet for client address 10.1.54.159
Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0:
unknown
subnet for client address 10.1.54.159
Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0:
unknown
subnet for client address 10.1.53.177
Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0:
unknown
subnet for client address 10.1.53.177
Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown
subnet for client address 10.1.54.45
Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: unknown
subnet for client address 10.1.54.45
Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown
subnet for client address 10.1.55.31
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: unknown
subnet for client address 10.1.55.31
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown
subnet for client address 10.1.54.55
Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: unknown
subnet for client address 10.1.54.55
Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via
eth0:
network euca: no free leases
Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via
eth0:
network euca: no free leases
The pattern I observe is each message repeated two times.
This is my rSyslog SERVER conf file http://fpaste.org/36428/
I am using the firewall GUI on the rSyslog server.
For incoming traffic policy,
I have allowed the firewall ports as per the screenshot; please find
attachment.
Seeking for guidance,
Thanks !!
*--
*
*Cheers,
Mayur*
On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote:
the best way is to put a filter on your central server that detects
these
messages that you don't care about and discards them (the 'stop'
action
on
7.x or the '~' action on earlier versions)
if you post a sample of the logs that you don't care about, we may be
able
to help you craft the filters.
as for your firewall problem, we would have to see what rules you are
putting in your firewall, and how you are forwarding the messages. If
you
are using @ for your forwarding, you need to allow UDP 514 on your
server,
but once you do that it eill work.
David Lang
On Fri, 30 Aug 2013, Mayur Patil wrote:
Hello All,
[1] I have configured my three machines for rsyslog exportation to
remote
server. My syslog file size has crossed over 150 MB which
consists
of
useless dhcpd requests. I want to know is there any reliable
way
to
stop
dhcp logging ? I googled but not found satisfactory
solution.
[2] I am unable to export logs on rSyslog server if I enable
firewall.
Though I
allow syslog and required services port to allowed inbound
traffic
policy
I am unable to get logs on server. This could be possible iff I
disable the
firewall. What is going wrong??
Seeking for guidance,
Thanks !
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
