Last active
September 1, 2022 22:57
-
-
Save melissaboiko/f34bfe9d10a45eacf38d3f283e3b9dde to your computer and use it in GitHub Desktop.
filtering noisy dæmons on rsyslog using the cleaner expression syntax
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/rsyslog.d/10-noisy.conf | |
# filter out some noisy messages | |
# most software doesn't set $syslogtag, so you need to look for the identifier in the message. | |
# the problems here are baffling: | |
# - for reasons unknown, the message often starts with a space, though not necessarily | |
# - this makes it cumbersome to impossible to rely on `starts_with` | |
# - regexpes are significantly slower | |
# - `contains` is slower than `starts_with`, and may give false positives | |
# - the `ltrim()` function can't easily be applied to an action | |
# - you could potentially register a variable with the trimmed message, but this is making | |
# your setup dependent on rsyslog-specific, undocumented, potentially ephemeral behaviour. | |
# my compromise is to accept false positives and go for a `contains` with the dæmon identifier | |
# followed by a colon. most software has a way to add a prefix to $msg, including nftables. | |
# I additionally filter by $syslogfacility to reduce false positives. | |
# don't forget to add logrotate entries to these logfiles. | |
if $msg contains "nft:" and $syslogfacility-text == "kern" then { | |
action(type="omfile" file="/var/log/nftables.log") | |
stop | |
} | |
if $msg contains "iptables:" and $syslogfacility-text == "kern" then { | |
action(type="omfile" file="/var/log/iptables.log") | |
stop | |
} | |
if $msg contains "audit:" and $syslogfacility-text == "kern" then { | |
action(type="omfile" file="/var/log/audit.log") | |
stop | |
} | |
# vim: set ft=rsyslog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/logrotate.d/noisy-rsyslog | |
# custom rsyslog files | |
/var/log/nftables.log | |
/var/log/iptables.log | |
/var/log/audit.log { | |
rotate 14 | |
daily | |
missingok | |
notifempty | |
compress | |
delaycompress | |
postrotate | |
/usr/lib/rsyslog/rsyslog-rotate | |
endscript | |
# uses date as extensions for old logs | |
# (foo.log.20220901 rather than foo.log.1) | |
dateext | |
dateformat .%Y%m%d | |
# uses the date of log messages, not the date of rotation | |
dateyesterday | |
} | |
# vim: ft=conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment