?
Solved

How to stop Syslog filled with ifconfig

Posted on 2014-02-10
10
Medium Priority
?
1,556 Views
Last Modified: 2014-02-20
I am trying to stop this syslog information mention here below,

user:info syslog: /usr/sbin/ifconfig -au

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/bin/vmstat, is executed by user with id xxxxx

kern:notice unix: The privilege command /usr/sbin/netstat, is executed by user with id xxxxx

what could  be the proper procedure to stop this syslog information?
0
Comment
Question by:sams20
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847331
Seems that you have either something like "*.notice", "*.info" or "*.debug" in your syslog.conf file,
or something like "kern.notice" (or .info or .debug) and "user.notice" (or .info or .debug).

Depending on what you have set in the config file change it to contain ".warn" instead of ".notice" (or .info or .debug).

If in doubt you can post your active entries (those without a "#" in front) here so I could have a look.

The relevant file is "/etc/syslog.conf".
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847359
If you have

*.notice /path/to/logfile

and want to stay informed by "notice" messages except for "kern" and "user" you can change to

*.notice;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile


If the original entry contains .info or .debug instead of .notice change it accordingly, e.g. for .info change

*.info /path/to/logfile

to

*.info;kern.none;user.none  /path/to/logfile
kern.warn;user.warn  /path/to/logfile

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39847390
I have syslog configured,

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;daemon.none

OR

*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39847429
Your issue comes from the "*.notice" and "*.info" entries.

By the way, "info" already contains the higher priorities, so there is no need to specify them all.
"warning" and "warn" are equivalent, so there is also no need to specify both.

You can simply change *notice to "*.warn" and remove all higher priorities (because specifying them is redundant) and you will no longer see those "notice" messages:

*.warn;daemon.none

OR

*.warn




Or if you still want to see "info" messages except for kernel and user then add to the existing list

"kern.none;user.none"

and add the line

kern.warn;user.warn , like this:

*.info;daemon.none;kern.none;user.none
kern.warn;user.warn



Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39847484
Is it possible both line will write in a single line mentioned below,

1)*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

OR

2)
*.emerg;*.alert;*.crit;*.err;*.warning;*.info;daemon.none;kern.none;user.none @server1 (like, server1 as a log server)
kern.warn;user.warn @server1

which should be the correct 1) or 2).

Thanks
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 1500 total points
ID: 39847515
Both will work, but in your version both contain much redundancy.

1)

*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1

does the same as your (1)

2)

*.info;daemon.none;kern.none;user.none @server1
kern.warn;user.warn @server1

does the same as your (2).

(1) is shorter, but (2) is a bit more expressive. It's a matter of taste.

Don't forget to run "refresh -s syslogd" after making changes!
0
 

Author Comment

by:sams20
ID: 39855246
This, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" configuration is working fine. But I don't want to stop all kern or user related message.
I am trying to discard those specific messages mentioned here below are continue updating into log file every 3 or 2 second.

For this message, user:info syslog: /usr/sbin/ifconfig -au
if I do filter by ifconfig -au
:msg, contains, "ifconfig -au" ~

and

kern:notice unix: The privilege command /usr/sbin/lsvg, is executed by user with id xxxxx
if I do filter by id xxxxx
:msg, contains, "id xxxxx" ~

I am not sure how much it will work or is there any other procedure to filter and ignore specific message from log file please let me know.

Thanks
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39855552
Which syslog implementation do you use?

The standard AIX syslog does not have a filter option.

With this, "*.info;daemon.none;kern.none;user.none;kern.warn;user.warn @server1" you do not stop all kernel or user related messages, you just get rid of messages with priority "notice" or lower.
Kernel and User messages with priorities emerg/panic,alert,crit,err(or),warn(ing) will still arrive.

You can test this with

logger -p kern.warn "Testmessage"
and
logger -p user.warn "Testmessage"
0
 

Author Comment

by:sams20
ID: 39856283
Yes, it is standard AIX syslog.

When I type, logger -p kern.warn "Testmessage"

I got this, user:warn|warning my_userid: Testmessage

and

when I type, logger -p user.warn "Test message"

 I got this, user:warn|warning my_userid: Test message
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39856665
Sorry, I forgot that you can't log "kernel" type messages with the "logger" command - AIX translates them automatically to "user".

But as you can see with "-p user.warn" not all "user" type messages are blocked, only those at level "notice" or lower (and this is true for "kernel" messages too, yet we can't prove it by means of the "logger" command).

And since it's standard AIX syslog you cannot filter messages by content, only by facility and level, unfortunately.

wmp
0

Featured Post

Introducing Priority Question

Increase expert visibility of your issues by participating in Priority Question, our latest feature for Premium and Team Account holders. Adjust the priority of your question to get emergent issues in front of subject-matter experts for help when you need it most.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month15 days, 16 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question