Date: Wed, 3 Feb 1999 11:45:20 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: junkmale@xtra.co.nz Cc: freebsd-questions@FreeBSD.ORG Subject: Re: duplication of syslog output (report) Message-ID: <199902031645.LAA04939@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <19990203071534.LPUK678125.mta2-rme@wocker> from Dan Langille at "Feb 3, 99 08:14:37 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Dan Langille wrote,
> I'm using /etc/syslog.conf to direct my dhcp messages to
> /var/log/dhcp.log. That works. But the entries are being duplicated to
> /var/log/messages. I'm quite sure I need a facilty/program specified on
> the /var/log/messages line of /etc/syslog.conf but I've not been able to
> get it right.
[snip]
> Here's my /etc/syslog.conf. I'm using 2.2.8-stable.
> *.*;mail.none;cron.none;kern.none;local0.none;ftp.none;auth.none;authpriv.n
> one;ntp.none /var/log/messages
Wow, you are logging _everything_ somewhere, huh? Someone else may be
able to tell you how to modify this line to cut the DHCP messages, but
I have had some experience with filtering my syslog.
I wanted to do something similar for my mail log. I have ~50 users
using POP and they leave their computers on all day checking their
mail every minute or every five minutes. All of the connect/disconnect
messages that generates makes it virtually impossible for a human to
look over the logs without first filtering them. Since I could not
care less about people successfully connecting from within out local
network, I filter those out from the start. Just piping to sed and
grep is problematic. Once started, syslog keeps the pipe open. It
causes problems when syslog rotates the logs and buffering causes the
logs not to necessarily be completely up to date.
I wrote a quick and dirtly little C program that reads one line and
rejects it if it matches a regex. I then appended the output to the
mail log. The line in the syslod.conf is,
mail.info |/usr/local/bin/fltrmaillog 'Log (in|out) user=.* host=.*\[10.0.0]' >> /var/log/maillog
Here's the C code. HTH.
/*
** fltrmaillog - Filter Mail Log (CJC, 1/22/99)
**
** Usage: fltrmaillog regex
**
** Reads ONE LINE of the stdin, compares it to 'regex.'
** If the line matches, it is dropped. If it does not match
** it is returned as the stdout.
*/
#include <stdio.h>
#include <sys/types.h>
#include <regex.h>
#define MAX_LINE 8*1024
int main(int argc, char *argv[])
{
char line[MAX_LINE + 1];
regex_t fltr_regex;
if ( argc != 2 )
{
fprintf(stderr,"%s: expects exactly 1 argument\n",argv[0]);
return 1;
}
if ( regcomp(&fltr_regex,argv[1],REG_EXTENDED | REG_NOSUB) )
{
fprintf(stderr,"%s: error compiling regex: '%s'\n",argv[0],argv[1]);
return 1;
}
fgets(line,MAX_LINE,stdin);
if ( regexec(&fltr_regex,line,0,NULL,REG_NOTBOL | REG_NOTEOL) )
fputs(line,stdout);
return 0;
}
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902031645.LAA04939>