How to stop Syslog filled with ifconfig

I am trying to stop this syslog information mention here below,

user:info syslog: /usr/sbin/ifconfig -au

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/bin/vmstat, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/sbin/netstat, is executed by user with id xxxxx

what could  be the proper procedure to stop this syslog information?
sams20Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
woolmilkporcConnect With a Mentor Commented:
Both will work, but in your version both contain much redundancy.

1)

*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

does the same as your (1)

2)

*.info;daemon.none;kern.none;user.none @server1
kern.warn;user.warn @server1

does the same as your (2).

(1) is shorter, but (2) is a bit more expressive. It's a matter of taste.

Don't forget to run "refresh -s syslogd" after making changes!
0
 
woolmilkporcCommented:
Seems that you have either something like "*.notice", "*.info" or "*.debug" in your syslog.conf file,
or something like "kern.notice" (or .info or .debug) and "user.notice" (or .info or .debug).

Depending on what you have set in the config file change it to contain ".warn" instead of ".notice" (or .info or .debug).

If in doubt you can post your active entries (those without a "#" in front) here so I could have a look.

The relevant file is "/etc/syslog.conf".
0
 
woolmilkporcCommented:
If you have

*.notice /path/to/logfile

and want to stay informed by "notice" messages except for "kern" and "user" you can change to

*.notice;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile


If the original entry contains .info or .debug instead of .notice change it accordingly, e.g. for .info change

*.info /path/to/logfile

to

*.info;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile

Don't forget to run "refresh -s syslogd" after making changes!
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
sams20Author Commented:
I have syslog configured,

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;daemon.none

OR

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info
0
 
woolmilkporcCommented:
Your issue comes from the "*.notice" and "*.info" entries.

By the way, "info" already contains the higher priorities, so there is no need to specify them all.
"warning" and "warn" are equivalent, so there is also no need to specify both.

You can simply change *notice to "*.warn" and remove all higher priorities (because specifying them is redundant) and you will no longer see those "notice" messages:

*.warn;daemon.none

OR

*.warn




Or if you still want to see "info" messages except for kernel and user then add to the existing list

"kern.none;user.none"

and add the line

kern.warn;user.warn , like this:

*.info;daemon.none;kern.none;user.none
kern.warn;user.warn



Don't forget to run "refresh -s syslogd" after making changes!
0
 
sams20Author Commented:
Is it possible both line will write in a single line mentioned below,

1)*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

OR

2)
*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none @server1 (like, server1 as a log server)
kern.warn;user.warn @server1

which should be the correct 1) or 2).

Thanks
0
 
sams20Author Commented:
This, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" configuration is working fine. But I don't want to stop all kern or user related message.
I am trying to discard those specific messages mentioned here below are continue updating into log file every 3 or 2 second.

For this message, user:info syslog: /usr/sbin/ifconfig -au
if I do filter by ifconfig -au
:msg, contains, "ifconfig -au" ~

and

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx
if I do filter by id xxxxx
:msg, contains, "id xxxxx" ~

I am not sure how much it will work or is there any other procedure to filter and ignore specific message from log file please let me know.

Thanks
0
 
woolmilkporcCommented:
Which syslog implementation do you use?

The standard AIX syslog does not have a filter option.

With this, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" you do not stop all kernel or user related messages, you just get rid of messages with priority "notice" or lower.
Kernel and User messages with priorities emerg/panic,alert,crit,err(or),warn(ing) will still arrive.

You can test this with

logger -p kern.warn "Testmessage"
and
logger -p user.warn "Testmessage"
0
 
sams20Author Commented:
Yes, it is standard AIX syslog.

When I type, logger -p kern.warn "Testmessage"

I got this, user:warn|warning my_userid: Testmessage

and

when I type, logger -p user.warn "Test message"

 I got this, user:warn|warning my_userid: Test message
0
 
woolmilkporcCommented:
Sorry, I forgot that you can't log "kernel" type messages with the "logger" command - AIX translates them automatically to "user".

But as you can see with "-p user.warn" not all "user" type messages are blocked, only those at level "notice" or lower (and this is true for "kernel" messages too, yet we can't prove it by means of the "logger" command).

And since it's standard AIX syslog you cannot filter messages by content, only by facility and level, unfortunately.

wmp
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.