Logs – dump.4network.org

Discarding unwanted messages in syslog-ng

There are some messages that you do not want to see in the logs file. In this case I had the following:

Feb 3 11:41:05 bnmdns1 nrpe[19270]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:05 bnmdns1 nrpe[19272]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:13 bnmdns1 nrpe[19278]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:13 bnmdns1 nrpe[19280]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:15 bnmdns1 nrpe[19286]: Error: Could not complete SSL handshake. 1

To get rid of those unwanted messages add the following to /etc/syslog-ng/syslog-ng.conf file:

filter f_nrpe {match ("Error: Could not complete SSL handshake. 1");}; destination d_nrpe { file("/var/log/nrpe.log");}; log { source(src); filter (f_nrpe); destination(d_nrpe);};
In the above example the filter and destination have nrpe names, as they should. The match statement is not taking into account the facility or severity. Be sure the name chosen doesn’t exist as another filter or destination already specified in this file. If we were to test this, at this point we would have a /var/log/messages file with “Error: Could not complete SSL handshake. 1” line as well as a /var/log/nrpe.log with the same “Error: Could not complete SSL handshake. 1” messages. We now need to exclude these messages from being logged to /var/log/messages.

In the syslog-ng.conf file there is a line that starts with “filter f_message”. We need to exclude our filter from being logged here. If the default line looks like the following:

filter f_messages { not facility(news, mail) and not filter(f_iptables); };

Change it to the following:

filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_nrpe); };

The modified “f_messages” filter will now exclude anything defined in the “f_nrpe” filter. Messages with “Error: Could not complete SSL handshake. 1” in them should only be found in the defined log file as specified under “d_nrpe”.

Now, restart syslog-ng and test this by using logger command:

logger "Error: Could not complete SSL handshake. 1"

The unwanted nrpe logs should be stored in /var/log/nrpe.log

Rsyslogd the traditional File Format.

Add the following $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat to /etc/rsyslogd.conf to have a traditional file format like this:

Jan 12 15:51:07 sles29 dovecot: imap-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=172.16.12.151, lip=172.16.60.15, session= Jan 12 15:51:14 sles29 postfix/smtpd[9226]: connect from unknown[172.16.12.151] Jan 12 15:51:14 sles29 postfix/smtpd[9226]: disconnect from unknown[172.16.12.151] Jan 12 15:51:17 sles29 postfix/postfix-script[10446]: stopping the Postfix mail system Jan 12 15:51:17 sles29 postfix/master[9120]: terminating on signal 15

instead of this:
2016-01-12T15:50:14.273797+00:00 sles29 postfix/smtpd[9226]: connect from unknown[172.16.12.151] 2016-01-12T15:50:14.274207+00:00 sles29 postfix/anvil[9231]: statistics: max connection rate 1/60s for (smtp:172.16.12.151) at Jan 12 15:40:14 2016-01-12T15:50:14.274534+00:00 sles29 postfix/anvil[9231]: statistics: max connection count 1 for (smtp:172.16.12.151) at Jan 12 15:40:14 2016-01-12T15:50:14.274781+00:00 sles29 postfix/anvil[9231]: statistics: max cache size 2 at Jan 12 15:41:53 2016-01-12T15:50:14.281123+00:00 sles29 postfix/smtpd[9226]: disconnect from unknown[172.16.12.151]

Discarding unwanted messages in rsyslogd.

There are some messages that you do not want to see in the logs file. In this case I had the following:

Nov 16 14:15:51 nbefa1 nrpe[25429]: Error: Could not complete SSL handshake. 1
Nov 16 14:15:51 nbefa1 nrpe[25431]: Error: Could not complete SSL handshake. 1
Nov 16 14:15:51 nbefa1 nrpe[25435]: Error: Could not complete SSL handshake. 1
Nov 16 14:15:51 nbefa1 nrpe[25437]: Error: Could not complete SSL handshake. 1
Nov 16 14:15:55 nbefa1 nrpe[25446]: Error: Could not complete SSL handshake. 1
Nov 16 14:15:55 nbefa1 nrpe[25448]: Error: Could not complete SSL handshake. 1

To get rid of those unwanted messages add the following to the top of /etc/rsyslogd.conf file:

# Discarding unwanted messages :msg, contains, "Error: Could not complete SSL handshake. 1" ~

And then restart rsyslogd.

More information: http://www.rsyslog.com/discarding-unwanted-messages/

Log file for NRPE

NRPE does not have its own log file, everything goes to /var/log/messages. It would be nice to have a dedicated log file for NRPE.
To do that add the following lines in your NRPE configuration file. In my case the configuration file is /etc/nagios/nrpe.cfg

log_facility=local1 debug=0

and add the following lines to rsyslog configuration file. In my case the configuration file is /etc/rsyslogd.conf

local1.* /var/log/nrpe.log

And now, restart rsyslogd and nrep:

/etc/init.d/./rsyslogd restart /etc/init.d/./nrpe restart

Troubleshooting and debugging syslog-ng.

Sometimes, syslog-ng seems to be working wrong, it does not send logs, or it does not start or in an extreme case it crashes.
Is it a real syslog-ng bug or not?

First of all, syslog-ng has a lot of parameters for debugging:

root# syslog-ng –help-all

-F, –foreground Do not go into the background after initialization -v, –verbose Be a bit more verbose -d, –debug Enable debug messages -t, –trace Enable trace messages -e, –stderr Log messages to stderr -s, --syntax-only Only read and parse config file

For example:

root# syslog-ng -F WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration; Error resolving reference; content='source', name='_src', location='/etc/syslog-ng/conf.d/iptables.conf:3:7' root#

cat /etc/syslog-ng/conf.d/iptables.conf destination iptables { file("/var/log/iptables.log" owner("user") group("adm") perm(0644)); }; filter iptables { facility(kern) and match("IN=") and match("OUT="); }; log { source(_src); filter(iptables); destination(iptables); };

So what is missing? ‘s’ in name=’_src’ The syntax should look like this:

cat /etc/syslog-ng/conf.d/iptables.conf destination iptables { file("/var/log/iptables.log" owner("aryps") group("adm") perm(0644)); }; filter iptables { facility(kern) and match("IN=") and match("OUT="); }; log { source(s_src); filter(iptables); destination(iptables); };

Worth to add the following and not filter(iptables) to filter f_kern and filter f_messages so the filters will look like this:

cat /etc/syslog-ng/syslog-ng.conf ... filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news) and not filter(iptables); }; filter f_kern { facility(kern) and not filter(f_debug) and not filter(iptables); }; ...