Solved

How to stop Syslog filled with ifconfig

Posted on 2014-02-10
10
1,452 Views
Last Modified: 2014-02-20
I am trying to stop this syslog information mention here below,

user:info syslog: /usr/sbin/ifconfig -au

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/bin/vmstat, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/sbin/netstat, is executed by user with id xxxxx

what could  be the proper procedure to stop this syslog information?
0
Comment
Question by:sams20
  • 6
  • 4
10 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847331
Seems that you have either something like "*.notice", "*.info" or "*.debug" in your syslog.conf file,
or something like "kern.notice" (or .info or .debug) and "user.notice" (or .info or .debug).

Depending on what you have set in the config file change it to contain ".warn" instead of ".notice" (or .info or .debug).

If in doubt you can post your active entries (those without a "#" in front) here so I could have a look.

The relevant file is "/etc/syslog.conf".
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847359
If you have

*.notice /path/to/logfile

and want to stay informed by "notice" messages except for "kern" and "user" you can change to

*.notice;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile


If the original entry contains .info or .debug instead of .notice change it accordingly, e.g. for .info change

*.info /path/to/logfile

to

*.info;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39847390
I have syslog configured,

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;daemon.none

OR

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847429
Your issue comes from the "*.notice" and "*.info" entries.

By the way, "info" already contains the higher priorities, so there is no need to specify them all.
"warning" and "warn" are equivalent, so there is also no need to specify both.

You can simply change *notice to "*.warn" and remove all higher priorities (because specifying them is redundant) and you will no longer see those "notice" messages:

*.warn;daemon.none

OR

*.warn




Or if you still want to see "info" messages except for kernel and user then add to the existing list

"kern.none;user.none"

and add the line

kern.warn;user.warn , like this:

*.info;daemon.none;kern.none;user.none
kern.warn;user.warn



Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39847484
Is it possible both line will write in a single line mentioned below,

1)*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

OR

2)
*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none @server1 (like, server1 as a log server)
kern.warn;user.warn @server1

which should be the correct 1) or 2).

Thanks
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 39847515
Both will work, but in your version both contain much redundancy.

1)

*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

does the same as your (1)

2)

*.info;daemon.none;kern.none;user.none @server1
kern.warn;user.warn @server1

does the same as your (2).

(1) is shorter, but (2) is a bit more expressive. It's a matter of taste.

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39855246
This, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" configuration is working fine. But I don't want to stop all kern or user related message.
I am trying to discard those specific messages mentioned here below are continue updating into log file every 3 or 2 second.

For this message, user:info syslog: /usr/sbin/ifconfig -au
if I do filter by ifconfig -au
:msg, contains, "ifconfig -au" ~

and

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx
if I do filter by id xxxxx
:msg, contains, "id xxxxx" ~

I am not sure how much it will work or is there any other procedure to filter and ignore specific message from log file please let me know.

Thanks
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39855552
Which syslog implementation do you use?

The standard AIX syslog does not have a filter option.

With this, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" you do not stop all kernel or user related messages, you just get rid of messages with priority "notice" or lower.
Kernel and User messages with priorities emerg/panic,alert,crit,err(or),warn(ing) will still arrive.

You can test this with

logger -p kern.warn "Testmessage"
and
logger -p user.warn "Testmessage"
0
 

Author Comment

by:sams20
ID: 39856283
Yes, it is standard AIX syslog.

When I type, logger -p kern.warn "Testmessage"

I got this, user:warn|warning my_userid: Testmessage

and

when I type, logger -p user.warn "Test message"

 I got this, user:warn|warning my_userid: Test message
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39856665
Sorry, I forgot that you can't log "kernel" type messages with the "logger" command - AIX translates them automatically to "user".

But as you can see with "-p user.warn" not all "user" type messages are blocked, only those at level "notice" or lower (and this is true for "kernel" messages too, yet we can't prove it by means of the "logger" command).

And since it's standard AIX syslog you cannot filter messages by content, only by facility and level, unfortunately.

wmp
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question