Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp messages & firewall disturbance

Tue, 03 Sep 2013 21:40:08 -0700 

Hi All,


rsyslog stop logging at all when filter applied.

 I added any filter like

    :msg, startswith, 'DHCPREQUEST' ~

                 or

    :msg, startswith, 'kernel' ~

    it will stop rsyslog totally from logging with exiting message 15
killing the

    process.

    my server rsyslog.conf file : http://fpaste.org/36924/

    please help !

    thanx !!

-- 
*Cheers,
Mayur*



On Tue, Sep 3, 2013 at 12:52 PM, Mayur Patil <[email protected]>wrote:

> Actually I am trying to collect logs from two IP addresses 172.20.54.211,
> 172.20.54.212
>
> I checked with comma(,) between two IP addresses but not worked.
>
> As you said, for my understanding
>
> I need to follow these steps
>
> 1. Remove dynamic template lines from file and add following lines
>
> *.*   /var/log/172.20.54.212/syslog
> *.*   /var/log/172.20.54.211/syslog <http://172.20.54.212/syslog>
>
> 2 put the following lines before the above mentioned lines
>
> :msg, startswith, 'DHCPINFORM' ~
> :msg, startswith, 'DHCPDISCOVER' ~
> :msg, startswith, 'DHCPREQUESTS' ~
>
> 3. Then check out for result.
>
>  the line I observed while starting syslog
>
> Sep  3 12:53:24 logserver rsyslogd-2039: Could no open output pipe
> '/dev/xconsole': No such file or directory [try
> http://www.rsyslog.com/e/2039 ]
>
> Please correct if I am wrong !
>
> Thakx !
> *
> --
> *
> *Cheers,
> mayur*
>
>
> On Tue, Sep 3, 2013 at 12:28 PM, David Lang <[email protected]> wrote:
>
>> Yes, if you tell rsyslog to use a template that you have not defined, you
>> will basically make the rest of the configuration past that point be ignored
>>
>> I believe that on line 37 there should be a comma between mytemplate and
>> the quote
>>
>> $template 
>> mytemplate,"/var/log/172.20.**54.212/syslog<http://172.20.54.212/syslog>
>> "
>>
>> although, I'll point out there is nothing variable in that template.
>>
>> you probably want to replace the IP address with %fromhost-ip%
>>
>> if ou really do want o have it be a single file, don't use the dynafile
>> template mechanism, just specify the filename
>>
>> *.* /var/log/172.20.54.212/syslog
>>
>> you also need to put the filters to discard the messages that you don't
>> want to see before the lines that write those messages out.
>>
>>
>> David Lang
>>
>> On Tue, 3 Sep 2013, Mayur Patil wrote:
>>
>>  Thanx sir for reply.
>>>
>>> This is my server config file http://pastebin.com/C1SDt08y
>>>
>>> message I remember is that it does not found mytemplate
>>>
>>> that i mentioned on line 30.
>>>
>>> I setup rsyslog using this blog
>>> http://www.thegeekstuff.com/**2012/01/rsyslog-remote-**logging/<http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/>
>>>
>>> Please guide,
>>>
>>> Thanks !!
>>>
>>>
>>> On Tue, Sep 3, 2013 at 11:57 AM, David Lang <[email protected]> wrote:
>>>
>>>  It's really hard to diagnose your problem without you posting your
>>>> config.
>>>>
>>>> did you check to see if there are any error messages at startup that
>>>> could
>>>> indicate that you have a typo in the config?
>>>>
>>>> David Lang
>>>>
>>>>
>>>> On Tue, 3 Sep 2013, Mayur Patil wrote:
>>>>
>>>>  Hi,
>>>>
>>>>>
>>>>>   I have done config as per your said but when I create filter to stop
>>>>> receiving anyone of dhcp message i.e. dhcpdiscover, dhcprequest etc
>>>>>
>>>>>   it stops logging all components logs; thing to wonder is that I am
>>>>> using
>>>>> Static mode of networking then why I am facing  such problems?
>>>>>
>>>>>   Need guidance.
>>>>>
>>>>>   Thanks !
>>>>> *
>>>>> --
>>>>> *
>>>>> *Cheers,
>>>>> Mayur*
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Sep 2, 2013 at 6:08 PM, Mayur Patil <[email protected]
>>>>> >**
>>>>> wrote:
>>>>>
>>>>>  Hi,
>>>>>
>>>>>>
>>>>>>   Thanks David and Radu sir.
>>>>>>
>>>>>>    I will try this and report ASAP.
>>>>>>
>>>>>>   Thanks for the help !!
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 2, 2013 at 5:26 PM, Radu Gheorghe <
>>>>>> [email protected]>*
>>>>>> *wrote:
>>>>>>
>>>>>>
>>>>>>  Just a quick addition: if the config options that David gave don't
>>>>>> work,
>>>>>>
>>>>>>> try preceding the message with a space, like:
>>>>>>>
>>>>>>> :msg, startswith, ' DHCPINFORM'  ~
>>>>>>>
>>>>>>>
>>>>>>> More information about this behavior can be found here:
>>>>>>> http://www.rsyslog.com/log-****normalization-and-the-leading-**
>>>>>>> **space/<http://www.rsyslog.com/log-**normalization-and-the-leading-**space/>
>>>>>>> <http://www.rsyslog.**com/log-normalization-and-the-**leading-space/<http://www.rsyslog.com/log-normalization-and-the-leading-space/>
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Radu
>>>>>>>
>>>>>>>
>>>>>>> 2013/9/2 David Lang <[email protected]>
>>>>>>>
>>>>>>>  what version are you running?
>>>>>>>
>>>>>>>>
>>>>>>>> are there any dhcp logs that you care about?
>>>>>>>>
>>>>>>>> :msg, startswith, 'DHCPINFORM'  ~
>>>>>>>> :msg, startswith, 'DHCPDISCOVER'  ~
>>>>>>>> :msg, startswith, 'DHCPREQUEST'  ~
>>>>>>>>
>>>>>>>> this will eliminate all the dhcp messages you list. I also
>>>>>>>> _strongly_
>>>>>>>> recommend disabling the repeated message option (you need to do
>>>>>>>> that on
>>>>>>>>
>>>>>>>>  the
>>>>>>>
>>>>>>>  sending machine as well) to eliminate the 'last message repeated'
>>>>>>>> lines,
>>>>>>>> which are pretty worthless
>>>>>>>>
>>>>>>>>
>>>>>>>> I'll tale a look at your attachment later today if I can.
>>>>>>>>
>>>>>>>> David Lang
>>>>>>>>
>>>>>>>> On Mon, 2 Sep 2013, Mayur Patil wrote:
>>>>>>>>
>>>>>>>>  Date: Mon, 2 Sep 2013 12:56:26 +0530
>>>>>>>>
>>>>>>>>  From: Mayur Patil <[email protected]>
>>>>>>>>> To: rsyslog-users <[email protected]>, David Lang <
>>>>>>>>>
>>>>>>>>>  [email protected]>
>>>>>>>>
>>>>>>>
>>>>>>>  Subject: Re: [rsyslog] [rsyslog-user] how to Stop logging dhcp
>>>>>>>>
>>>>>>>>>
>>>>>>>>>  messages &
>>>>>>>>
>>>>>>>
>>>>>>>      firewall disturbance
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello David sir,
>>>>>>>>>
>>>>>>>>>     Thanks for the help and sorry for late reply.
>>>>>>>>>
>>>>>>>>>     Please have a look at the logs that I want to avoid
>>>>>>>>>
>>>>>>>>> Sep  2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.53.58
>>>>>>>>> Sep  2 12:39:20 clc dhcpd: DHCPINFORM from 10.1.53.58 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.53.58
>>>>>>>>> Sep  2 12:39:26 clc dhcpd: DHCPINFORM from 10.1.55.55 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.55.55
>>>>>>>>> Sep  2 12:39:26 clc dhcpd: last message repeated 3 times
>>>>>>>>> Sep  2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0:
>>>>>>>>>
>>>>>>>>>  unknown
>>>>>>>>
>>>>>>>
>>>>>>>  subnet for client address 10.1.54.159
>>>>>>>>
>>>>>>>>> Sep  2 12:39:29 clc dhcpd: DHCPINFORM from 10.1.54.159 via eth0:
>>>>>>>>>
>>>>>>>>>  unknown
>>>>>>>>
>>>>>>>
>>>>>>>  subnet for client address 10.1.54.159
>>>>>>>>
>>>>>>>>> Sep  2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0:
>>>>>>>>>
>>>>>>>>>  unknown
>>>>>>>>
>>>>>>>
>>>>>>>  subnet for client address 10.1.53.177
>>>>>>>>
>>>>>>>>> Sep  2 12:39:30 clc dhcpd: DHCPINFORM from 10.1.53.177 via eth0:
>>>>>>>>>
>>>>>>>>>  unknown
>>>>>>>>
>>>>>>>
>>>>>>>  subnet for client address 10.1.53.177
>>>>>>>>
>>>>>>>>> Sep  2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.54.45
>>>>>>>>> Sep  2 12:39:32 clc dhcpd: DHCPINFORM from 10.1.54.45 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.54.45
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
>>>>>>>>> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPREQUEST for 10.1.54.37 from
>>>>>>>>> f4:ea:67:8b:ab:da via eth0: unknown lease 10.1.54.37.
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.55.31
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.55.31 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.55.31
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.54.55
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPINFORM from 10.1.54.55 via eth0:
>>>>>>>>> unknown
>>>>>>>>> subnet for client address 10.1.54.55
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via
>>>>>>>>>
>>>>>>>>>  eth0:
>>>>>>>>
>>>>>>>
>>>>>>>  network euca: no free leases
>>>>>>>>
>>>>>>>>> Sep  2 12:39:33 clc dhcpd: DHCPDISCOVER from 00:16:e0:92:c7:60 via
>>>>>>>>>
>>>>>>>>>  eth0:
>>>>>>>>
>>>>>>>
>>>>>>>  network euca: no free leases
>>>>>>>>
>>>>>>>>>
>>>>>>>>> The pattern I observe is each message repeated two times.
>>>>>>>>>
>>>>>>>>> This is my rSyslog SERVER conf file  http://fpaste.org/36428/
>>>>>>>>>
>>>>>>>>> I am using the firewall GUI on the rSyslog server.
>>>>>>>>>
>>>>>>>>> For incoming traffic policy,
>>>>>>>>>
>>>>>>>>> I have allowed the firewall ports as per the screenshot;  please
>>>>>>>>> find
>>>>>>>>> attachment.
>>>>>>>>>
>>>>>>>>> Seeking for guidance,
>>>>>>>>>
>>>>>>>>> Thanks !!
>>>>>>>>>
>>>>>>>>> *--
>>>>>>>>> *
>>>>>>>>> *Cheers,
>>>>>>>>> Mayur*
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Aug 30, 2013 at 6:42 PM, David Lang <[email protected]> wrote:
>>>>>>>>>
>>>>>>>>>  the best way is to put a filter on your central server that
>>>>>>>>> detects
>>>>>>>>>
>>>>>>>>>  these
>>>>>>>>
>>>>>>>
>>>>>>>  messages that you don't care about and discards them (the 'stop'
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>  action
>>>>>>>>>
>>>>>>>>
>>>>>>>  on
>>>>>>>>
>>>>>>>>> 7.x or the '~' action on earlier versions)
>>>>>>>>>>
>>>>>>>>>> if you post a sample of the logs that you don't care about, we
>>>>>>>>>> may be
>>>>>>>>>> able
>>>>>>>>>> to help you craft the filters.
>>>>>>>>>>
>>>>>>>>>> as for your firewall problem, we would have to see what rules you
>>>>>>>>>> are
>>>>>>>>>> putting in your firewall, and how you are forwarding the
>>>>>>>>>> messages. If
>>>>>>>>>>
>>>>>>>>>>  you
>>>>>>>>>
>>>>>>>>
>>>>>>>  are using @ for your forwarding, you need to allow UDP 514 on your
>>>>>>>>
>>>>>>>>> server,
>>>>>>>>>> but once you do that it eill work.
>>>>>>>>>>
>>>>>>>>>> David Lang
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Fri, 30 Aug 2013, Mayur Patil wrote:
>>>>>>>>>>
>>>>>>>>>>  Hello All,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  [1]   I have configured my three machines for rsyslog
>>>>>>>>>>> exportation to
>>>>>>>>>>> remote
>>>>>>>>>>>
>>>>>>>>>>>        server.  My syslog file size has crossed over 150 MB which
>>>>>>>>>>> consists
>>>>>>>>>>> of
>>>>>>>>>>>
>>>>>>>>>>>        useless dhcpd requests. I want to know is there any
>>>>>>>>>>> reliable
>>>>>>>>>>>
>>>>>>>>>>>  way
>>>>>>>>>>
>>>>>>>>>
>>>>>>>  to
>>>>>>>>
>>>>>>>>> stop
>>>>>>>>>>>
>>>>>>>>>>>         dhcp logging ?   I googled but not found satisfactory
>>>>>>>>>>>
>>>>>>>>>>>  solution.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>>>  [2]   I am unable to export logs on rSyslog server if I enable
>>>>>>>>>>>
>>>>>>>>>>>  firewall.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>  Though I
>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>       allow  syslog and required services port to allowed inbound
>>>>>>>>>>> traffic
>>>>>>>>>>> policy
>>>>>>>>>>>
>>>>>>>>>>>       I am unable to get logs on server. This could be possible
>>>>>>>>>>> iff
>>>>>>>>>>> I
>>>>>>>>>>> disable the
>>>>>>>>>>>
>>>>>>>>>>>       firewall. What is going wrong??
>>>>>>>>>>>
>>>>>>>>>>>      Seeking for guidance,
>>>>>>>>>>>
>>>>>>>>>>>      Thanks !
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>
>
>
> --
> *Yours Sincerely,
> Mayur* S. Patil,
> ME COMP ENGG,
> MITCOE,
> Pune.
>
> Contact :
> * * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
> <https://plus.google.com/u/0/107426396312814346345/about>
> <http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
> <http://stackoverflow.com/users/1528044/rammayur> *
> <https://myspace.com/mayurram>* <https://github.com/ramlaxman>
>
>
>
>


-- 
*Yours Sincerely,
Mayur* S. Patil,
ME COMP ENGG,
MITCOE,
Pune.

Contact :
* * <https://www.facebook.com/mayurram>  <https://twitter.com/RamMayur>
<https://plus.google.com/u/0/107426396312814346345/about>
<http://in.linkedin.com/pub/mayur-patil/35/154/b8b/>
<http://stackoverflow.com/users/1528044/rammayur> *
<https://myspace.com/mayurram>* <https://github.com/ramlaxman>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to