Thanx sir for reply. This is my server config file http://pastebin.com/C1SDt08y
message I remember is that it does not found mytemplate that i mentioned on line 30. I setup rsyslog using this blog http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/ Please guide, Thanks !! On Tue, Sep 3, 2013 at 11:57 AM, David Lang <[email protected]> wrote: > It's really hard to diagnose your problem without you posting your config. > > did you check to see if there are any error messages at startup that could > indicate that you have a typo in the config? > > David Lang > > > On Tue, 3 Sep 2013, Mayur Patil wrote: > > Hi, >> >> I have done config as per your said but when I create filter to stop >> receiving anyone of dhcp message i.e. dhcpdiscover, dhcprequest etc >> >> it stops logging all components logs; thing to wonder is that I am using >> Static mode of networking then why I am facing such problems? >> >> Need guidance. >> >> Thanks ! >> * >> -- >> * >> *Cheers, >> Mayur* >> >> >> >> On Mon, Sep 2, 2013 at 6:08 PM, Mayur Patil <[email protected]>** >> wrote: >> >> Hi, >>> >>> Thanks David and Radu sir. >>> >>> I will try this and report ASAP. >>> >>> Thanks for the help !! >>> >>> >>> On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <[email protected]>* >>> *wrote: >>> >>> Just a quick addition: if the config options that David gave don't work, >>>> try preceding the message with a space, like: >>>> >>>> :msg, startswith, ' DHCPINFORM' ~ >>>> >>>> >>>> More information about this behavior can be found here: >>>> http://www.rsyslog.com/log-**normalization-and-the-leading-**space/<http://www.rsyslog.com/log-normalization-and-the-leading-space/> >>>> >>>> Best regards, >>>> Radu >>>> >>>> >>>> 2013/9/2 David Lang <[email protected]> >>>> >>>> what version are you running? >>>>> >>>>> are there any dhcp logs that you care about? >>>>> >>>>> :msg, startswith, 'DHCPINFORM' ~ >>>>> :msg, startswith, 'DHCPDISCOVER' ~ >>>>> :msg, startswith, 'DHCPREQUEST' ~ >>>>> >>>>> this will eliminate all the dhcp messages you list. I also _strongly_ >>>>> recommend disabling the repeated message option (you need to do that on >>>>> >>>> the >>>> >>>>> sending machine as well) to eliminate the 'last message repeated' >>>>> lines, >>>>> which are pretty worthless >>>>> >>>>> >>>>> I'll tale a look at your attachment later today if I can. >>>>> >>>>> David Lang >>>>> >>>>> On Mon, 2 Sep 2013, Mayur Patil wrote: >>>>> >>>>> Date: Mon, 2 Sep 2013 12:56:26 +0530 >>>>> >>>>>> From: Mayur Patil <[email protected]> >>>>>> To: rsyslog-users <[email protected]>, David Lang < >>>>>> >>>>> [email protected]> >>>> >>>>> Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp >>>>>> >>>>> messages & >>>> >>>>> firewall disturbance >>>>>> >>>>>> >>>>>> Hello David sir, >>>>>> >>>>>> Thanks for the help and sorry for late reply. >>>>>> >>>>>> Please have a look at the logs that I want to avoid >>>>>> >>>>>> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.53.58 >>>>>> Sep 2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.53.58 >>>>>> Sep 2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.55.55 >>>>>> Sep 2 12:39:26 clc dhcpd: last message repeated 3 times >>>>>> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: >>>>>> >>>>> unknown >>>> >>>>> subnet for client address 10.1.54.159 >>>>>> Sep 2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0: >>>>>> >>>>> unknown >>>> >>>>> subnet for client address 10.1.54.159 >>>>>> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: >>>>>> >>>>> unknown >>>> >>>>> subnet for client address 10.1.53.177 >>>>>> Sep 2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0: >>>>>> >>>>> unknown >>>> >>>>> subnet for client address 10.1.53.177 >>>>>> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.54.45 >>>>>> Sep 2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.54.45 >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >>>>>> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from >>>>>> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37. >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.55.31 >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.55.31 >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.54.55 >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0: >>>>>> unknown >>>>>> subnet for client address 10.1.54.55 >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via >>>>>> >>>>> eth0: >>>> >>>>> network euca: no free leases >>>>>> Sep 2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via >>>>>> >>>>> eth0: >>>> >>>>> network euca: no free leases >>>>>> >>>>>> The pattern I observe is each message repeated two times. >>>>>> >>>>>> This is my rSyslog SERVER conf file http://fpaste.org/36428/ >>>>>> >>>>>> I am using the firewall GUI on the rSyslog server. >>>>>> >>>>>> For incoming traffic policy, >>>>>> >>>>>> I have allowed the firewall ports as per the screenshot; please find >>>>>> attachment. >>>>>> >>>>>> Seeking for guidance, >>>>>> >>>>>> Thanks !! >>>>>> >>>>>> *-- >>>>>> * >>>>>> *Cheers, >>>>>> Mayur* >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote: >>>>>> >>>>>> the best way is to put a filter on your central server that detects >>>>>> >>>>> these >>>> >>>>> messages that you don't care about and discards them (the 'stop' >>>>>>> >>>>>> action >>>> >>>>> on >>>>>>> 7.x or the '~' action on earlier versions) >>>>>>> >>>>>>> if you post a sample of the logs that you don't care about, we may be >>>>>>> able >>>>>>> to help you craft the filters. >>>>>>> >>>>>>> as for your firewall problem, we would have to see what rules you are >>>>>>> putting in your firewall, and how you are forwarding the messages. If >>>>>>> >>>>>> you >>>> >>>>> are using @ for your forwarding, you need to allow UDP 514 on your >>>>>>> server, >>>>>>> but once you do that it eill work. >>>>>>> >>>>>>> David Lang >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, 30 Aug 2013, Mayur Patil wrote: >>>>>>> >>>>>>> Hello All, >>>>>>> >>>>>>> >>>>>>>> [1] I have configured my three machines for rsyslog exportation to >>>>>>>> remote >>>>>>>> >>>>>>>> server. My syslog file size has crossed over 150 MB which >>>>>>>> consists >>>>>>>> of >>>>>>>> >>>>>>>> useless dhcpd requests. I want to know is there any reliable >>>>>>>> >>>>>>> way >>>> >>>>> to >>>>>>>> stop >>>>>>>> >>>>>>>> dhcp logging ? I googled but not found satisfactory >>>>>>>> >>>>>>> solution. >>>> >>>>> >>>>>>>> [2] I am unable to export logs on rSyslog server if I enable >>>>>>>> >>>>>>> firewall. >>>> >>>>> Though I >>>>>>>> >>>>>>>> allow syslog and required services port to allowed inbound >>>>>>>> traffic >>>>>>>> policy >>>>>>>> >>>>>>>> I am unable to get logs on server. This could be possible iff >>>>>>>> I >>>>>>>> disable the >>>>>>>> >>>>>>>> firewall. What is going wrong?? >>>>>>>> >>>>>>>> Seeking for guidance, >>>>>>>> >>>>>>>> Thanks ! >>>>>>>> >>>>>>>> >>>> >>> >> -- *Yours Sincerely, Mayur* S. Patil, ME COMP ENGG, MITCOE, Pune. Contact : * * <https://www.facebook.com/mayurram> <https://twitter.com/RamMayur> <https://plus.google.com/u/0/107426396312814346345/about> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/> <http://stackoverflow.com/users/1528044/rammayur> * <https://myspace.com/mayurram>* <https://github.com/ramlaxman> _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
