[afnog] syslog levels

Mon Aug 27 19:04:54 UTC 2007

---------- ingabireg at terracom.rw wrote: ---------
From: "grace Ingabire" <ingabireg at terracom.rw>

I let everything go into one log file and found that I was receiving 
Auth, daemon, local, authpriv, ftp, mail, cron, kern, syslog informations.
I found that mail, syslog messages were not important to me.
How can avoid them? Nullify them was one solution.
Tried to log *local0.notice;
local0.debug;mail.*;mail.none;mail.info;local0.info @xx.xx.xx.xx but I m not
receiving any logs now.
--------------------------------------------------

Since these messages are coming from the remote hosts to a central syslog server, I would try to stop them at the source.  That is tell the remote hosts to not send all of the logs, rather send only the ones you want to see to the central server.  I don't have an example of how to do this and it'd require man page and web page reading to get it to do exactly what you want it to do and nothing more.

>From my email, below, you can do the following to block them from being seen on the central server if the above can't be done:

For stopping what you mentioned above from being seen write the small shell script, say "logviewer.sh", and paste this in:

#! /bin/sh
tail -f  /var/log/mylog | egrep -v 'Auth|daemon|local|authpriv|ftp|mail|cron|kern|syslog'

Then save it and make it executable.   Then in the directory where you saved the file type ./ and the name of the program with no spaces.  For example: ./logviewer.  You can add more terms inside the single quotes of the 'egrep' command.  Keep adding terms you don't want to see to the egrep command and finally the messages will flow by at a human-readable rate and you can have real-time insight to what's going on with your hosts.

You can also do it live:

tail -f /var/log/mylog | egrep -v 'Auth|daemon|local|authpriv|ftp|mail|cron|kern|syslog'

Also, be sure that if the log info is filling up the memory on your central server that you set file size as the reason to rotate and keep only a certain number of the files.

In FreeBSD you'll use these files: /etc/newsyslog.conf and /etc/syslog.conf
In Solaris, use: /etc/logadm.conf and /etc/syslog.conf

scott

-----Original Message-----
From: Scott Weeks

------- ingabireg at terracom.rw wrote: ---------------

I want to send log messages from my hosts to the central syslog server. I
can log everything by using *.*     @ xx.xx.xx.xx this works, but I think it
will be full of information to be of any real use.

I have seen that we have 7 levels but want to know the important one (with
enough details). Attached is a description of those levels.
-------------------------------------------------

I do this two ways.  First, I let *everything* go into the log file.  Then I
look through it by getting rid of things I don't want to see (or have
already taken care of) one at a time:

cat /var/log/mylog | egrep -v 'term1|term2|termN' | less

This shows me everything except the lines which contain term1, term2 or
termN and I just keep adding terms until I have looked at everything in the
file.  Later, you will find a lot of terms you rarely want to see and you
can write a small shell script like this:

#! /bin/sh
cat /var/log/mylog | egrep -v 'term1|term2|term3' | less

Then you won't have to type the above every time.  You can call your shell
script, say, "logwatch" and then all you have to do is go to the directory
and type "./logwatch".  Be sure your permissions are set properly: "chmod
u+x logwatch"

One more fun thing to do is watch stuff in real time:

tail -f /var/log/mylog | egrep -v 'term1|term2|term3'

Where the terms are things I don't want to see.  Having everything in the
log, as some one mentioned earlier, allows you to go back to an error and
look at it in context to other things happening.

scott

_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog