How To Redirect Unwanted Messages From /var/log/messages

  • 7004659
  • 20-Apr-2012
  • 07-Jan-2015

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3
SUSE Linux Enterprise Server 10 Service Pack 4

Situation

Depending on the system setup, some /var/log/messages files can be full of information messages that make it difficult to find problems while troubleshooting other issues.

This Technical Information Document (TID) will give an example as to how to redirect unwanted messages away from this file.

Resolution

This TID assumes that the syslog-ng daemon is being utilized.
 
Suppose the /var/log/messages file is full of unwanted Dynamic DNS (DDNS) messages.  For our purposes here, these messages could look like following (sensitive information removed):
Apr 11 10:27:45 MyServer [NCPL]: client xxx.xxx.xxx.xxx#53: updating zone 'myZone.com/IN': Unsupported RR(255): discarding
 
The above message is just informational. However, if thousands of clients are trying to update DDNS (default for Windows clients), the server may log their attempts with the above line being logged to the /var/log/messages file for each attempt.  In our example we understand why the line is being logged and would like to redirect these lines to another file or throw them away.  To accomplish this, do the following:
 
  1. Always make a backup copy of any file that will be edited.
  2. Edit the /etc/syslog-ng/syslog-ng.conf
  3. Add the following to the bottom of the file:

    filter f_myFilterName {match ("Unsupported RR");};
    destination d_myDestinationName { file("/var/log/ddns_unsupported_rr.log");};
    log { source(src); filter (f_myFilterName); destination(d_myDestinationName);};

    NOTE:  In the above example the filter and destination have custom names, as they should.  The match statement is not taking into account the facility or severity.  Be sure the name chosen doesn't exist as another filter or destination already specified in this file. If we were to test this, at this point we would have a /var/log/messages file with "Unsupported RR" line as well as a /var/log/ddns_unsupported_rr.log with the same "Unsupported RR" messages.  We now need to exclude these messages from being logged to /var/log/messages.
  4. Toward the top of the syslog-ng.conf file there is a line that starts with "filter f_message".  We need to exclude our filter from being logged here.  If the default line looks like the following:

    filter f_messages   { not facility(news, mail) and not filter(f_iptables); };

    Change it to the following:

    filter f_messages   { not facility(news, mail) and not filter(f_iptables) and not filter(f_myFilterName); };

    NOTE:  The modified f_messages filter will now exclude anything defined in the f_myFilterName filter as defined in step 3.  Messages with "Unsupported RR" in them should only be found in the defined log file as specified under d_myDestinationName.  All of this assumes that syslog has been restarted after the changes have been implemented.

  5. To test this, use the logger command: 

    logger "Unsupported RR"
It is possible to throw the unwanted lines away too.
Instead of using a destination pointing to a log file, just point to /dev/null

If doing this, and pointing to a log file, it may be necessary to setup a log rotation for the log that is being created.  We will walk through a simple example:
  1. Create a file under /etc/logrotate.d/ (IE.  my_ddns)
  2. Populate the file with the following contents:

    /var/log/ddns_unsupported_rr.log
    {
            rotate 5
            notifempty
            compress
            dateext
            size=10M
            copytruncate
    }

    NOTE:  For more information about these settings, see the man page for logrotate (man logrotate).
  3. Save the file and make sure it is executable by root (IE: chmod 500 my_ddns)

Additional Information

As another example, you can redirect dhcpd daemon messages from /var/log/messages to /var/log/dhcpd.log.  By default they are copied out of messages to dhcpd.log.

Comment out the following from the syslog-ng.conf:

filter f_dhcpd { facility(daemon) and match('^dhcpd:'); };
destination dhcpmessages { file(var/log/dhcpd.log); };
log { source(src); filter(f_dhcpd); destination(dhcpmessages);};



Add the following:

filter f_movedhcpd { facility(daemon) and match('^dhcpd:'); };
destination d_movedhcpd { file("/var/log/dhcpd.log");};
log { source(src); filter (f_movedhcpd); destination(d_movedhcpd);};



Edit the f_messages line to include our new filter (as mentioned above)

filter f_messages   { not facility(news, mail) and not filter(f_iptables) and not filter(f_movedhcpd); };


Restart the syslog service.  You cannot test this with the logger command as we are filtering on daemon specific messages.  Monitor the messages file with the dhcp daemon running however, and the messages should have stopped and should all be redirected to /var/log/dhcpd.log