Solved

How to stop Syslog filled with ifconfig

Posted on 2014-02-10
10
1,387 Views
Last Modified: 2014-02-20
I am trying to stop this syslog information mention here below,

user:info syslog: /usr/sbin/ifconfig -au

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/bin/vmstat, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/sbin/netstat, is executed by user with id xxxxx

what could  be the proper procedure to stop this syslog information?
0
Comment
Question by:sams20
  • 6
  • 4
10 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Seems that you have either something like "*.notice", "*.info" or "*.debug" in your syslog.conf file,
or something like "kern.notice" (or .info or .debug) and "user.notice" (or .info or .debug).

Depending on what you have set in the config file change it to contain ".warn" instead of ".notice" (or .info or .debug).

If in doubt you can post your active entries (those without a "#" in front) here so I could have a look.

The relevant file is "/etc/syslog.conf".
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
If you have

*.notice /path/to/logfile

and want to stay informed by "notice" messages except for "kern" and "user" you can change to

*.notice;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile


If the original entry contains .info or .debug instead of .notice change it accordingly, e.g. for .info change

*.info /path/to/logfile

to

*.info;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
Comment Utility
I have syslog configured,

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;daemon.none

OR

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Your issue comes from the "*.notice" and "*.info" entries.

By the way, "info" already contains the higher priorities, so there is no need to specify them all.
"warning" and "warn" are equivalent, so there is also no need to specify both.

You can simply change *notice to "*.warn" and remove all higher priorities (because specifying them is redundant) and you will no longer see those "notice" messages:

*.warn;daemon.none

OR

*.warn




Or if you still want to see "info" messages except for kernel and user then add to the existing list

"kern.none;user.none"

and add the line

kern.warn;user.warn , like this:

*.info;daemon.none;kern.none;user.none
kern.warn;user.warn



Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
Comment Utility
Is it possible both line will write in a single line mentioned below,

1)*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

OR

2)
*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none @server1 (like, server1 as a log server)
kern.warn;user.warn @server1

which should be the correct 1) or 2).

Thanks
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
Comment Utility
Both will work, but in your version both contain much redundancy.

1)

*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

does the same as your (1)

2)

*.info;daemon.none;kern.none;user.none @server1
kern.warn;user.warn @server1

does the same as your (2).

(1) is shorter, but (2) is a bit more expressive. It's a matter of taste.

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
Comment Utility
This, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" configuration is working fine. But I don't want to stop all kern or user related message.
I am trying to discard those specific messages mentioned here below are continue updating into log file every 3 or 2 second.

For this message, user:info syslog: /usr/sbin/ifconfig -au
if I do filter by ifconfig -au
:msg, contains, "ifconfig -au" ~

and

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx
if I do filter by id xxxxx
:msg, contains, "id xxxxx" ~

I am not sure how much it will work or is there any other procedure to filter and ignore specific message from log file please let me know.

Thanks
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Which syslog implementation do you use?

The standard AIX syslog does not have a filter option.

With this, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" you do not stop all kernel or user related messages, you just get rid of messages with priority "notice" or lower.
Kernel and User messages with priorities emerg/panic,alert,crit,err(or),warn(ing) will still arrive.

You can test this with

logger -p kern.warn "Testmessage"
and
logger -p user.warn "Testmessage"
0
 

Author Comment

by:sams20
Comment Utility
Yes, it is standard AIX syslog.

When I type, logger -p kern.warn "Testmessage"

I got this, user:warn|warning my_userid: Testmessage

and

when I type, logger -p user.warn "Test message"

 I got this, user:warn|warning my_userid: Test message
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Sorry, I forgot that you can't log "kernel" type messages with the "logger" command - AIX translates them automatically to "user".

But as you can see with "-p user.warn" not all "user" type messages are blocked, only those at level "notice" or lower (and this is true for "kernel" messages too, yet we can't prove it by means of the "logger" command).

And since it's standard AIX syslog you cannot filter messages by content, only by facility and level, unfortunately.

wmp
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now