Solved

How to stop Syslog filled with ifconfig

Posted on 2014-02-10
10
1,430 Views
Last Modified: 2014-02-20
I am trying to stop this syslog information mention here below,

user:info syslog: /usr/sbin/ifconfig -au

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/bin/vmstat, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/sbin/netstat, is executed by user with id xxxxx

what could  be the proper procedure to stop this syslog information?
0
Comment
Question by:sams20
  • 6
  • 4
10 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847331
Seems that you have either something like "*.notice", "*.info" or "*.debug" in your syslog.conf file,
or something like "kern.notice" (or .info or .debug) and "user.notice" (or .info or .debug).

Depending on what you have set in the config file change it to contain ".warn" instead of ".notice" (or .info or .debug).

If in doubt you can post your active entries (those without a "#" in front) here so I could have a look.

The relevant file is "/etc/syslog.conf".
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847359
If you have

*.notice /path/to/logfile

and want to stay informed by "notice" messages except for "kern" and "user" you can change to

*.notice;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile


If the original entry contains .info or .debug instead of .notice change it accordingly, e.g. for .info change

*.info /path/to/logfile

to

*.info;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39847390
I have syslog configured,

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;daemon.none

OR

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847429
Your issue comes from the "*.notice" and "*.info" entries.

By the way, "info" already contains the higher priorities, so there is no need to specify them all.
"warning" and "warn" are equivalent, so there is also no need to specify both.

You can simply change *notice to "*.warn" and remove all higher priorities (because specifying them is redundant) and you will no longer see those "notice" messages:

*.warn;daemon.none

OR

*.warn




Or if you still want to see "info" messages except for kernel and user then add to the existing list

"kern.none;user.none"

and add the line

kern.warn;user.warn , like this:

*.info;daemon.none;kern.none;user.none
kern.warn;user.warn



Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39847484
Is it possible both line will write in a single line mentioned below,

1)*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

OR

2)
*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none @server1 (like, server1 as a log server)
kern.warn;user.warn @server1

which should be the correct 1) or 2).

Thanks
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39847515
Both will work, but in your version both contain much redundancy.

1)

*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

does the same as your (1)

2)

*.info;daemon.none;kern.none;user.none @server1
kern.warn;user.warn @server1

does the same as your (2).

(1) is shorter, but (2) is a bit more expressive. It's a matter of taste.

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39855246
This, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" configuration is working fine. But I don't want to stop all kern or user related message.
I am trying to discard those specific messages mentioned here below are continue updating into log file every 3 or 2 second.

For this message, user:info syslog: /usr/sbin/ifconfig -au
if I do filter by ifconfig -au
:msg, contains, "ifconfig -au" ~

and

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx
if I do filter by id xxxxx
:msg, contains, "id xxxxx" ~

I am not sure how much it will work or is there any other procedure to filter and ignore specific message from log file please let me know.

Thanks
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39855552
Which syslog implementation do you use?

The standard AIX syslog does not have a filter option.

With this, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" you do not stop all kernel or user related messages, you just get rid of messages with priority "notice" or lower.
Kernel and User messages with priorities emerg/panic,alert,crit,err(or),warn(ing) will still arrive.

You can test this with

logger -p kern.warn "Testmessage"
and
logger -p user.warn "Testmessage"
0
 

Author Comment

by:sams20
ID: 39856283
Yes, it is standard AIX syslog.

When I type, logger -p kern.warn "Testmessage"

I got this, user:warn|warning my_userid: Testmessage

and

when I type, logger -p user.warn "Test message"

 I got this, user:warn|warning my_userid: Test message
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39856665
Sorry, I forgot that you can't log "kernel" type messages with the "logger" command - AIX translates them automatically to "user".

But as you can see with "-p user.warn" not all "user" type messages are blocked, only those at level "notice" or lower (and this is true for "kernel" messages too, yet we can't prove it by means of the "logger" command).

And since it's standard AIX syslog you cannot filter messages by content, only by facility and level, unfortunately.

wmp
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question