Date: Mon, 22 Feb 1999 21:00:57 +1000 From: Greg Black <gjb@comkey.com.au> To: Patrick Seal <patseal@hyperhost.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: syslog.conf Message-ID: <19990222110057.15455.qmail@alpha.comkey.com.au> In-Reply-To: <Pine.BSF.4.05.9902211554000.37743-100000@foobar.hyperhost.net> of Sun, 21 Feb 1999 16:11:23 EST References: <Pine.BSF.4.05.9902211554000.37743-100000@foobar.hyperhost.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm trying to restrict the messeges that fill up my messeges log file into > a sudo log. This is what I have so far: > > *.notice;kern.debug;mail.crit /var/log/messages > > !sudo > *.* /var/log/sudo > > But sudo stuff still goes into messeges as well as sudo. How can I > restrict sudo stuff from the messeges file? I've tried sudo.none but that > doesn't seem to help, and the man page isn't much help either. The basic problem with syslog is that there are two basic problems with syslog: * It was spawned by the same mind that inflicted sendmail on us and so is cursed with an utterly bizarre set of rules. * It is so widely used that it's really difficult to see any way of getting rid of it. In my own software, I use my own logging library which follows a model that I find much easier to configure and millions of times easier to explain to my users. However, since all the system stuff uses syslog and since it's not going to go away, we also have to understand how it works. This is not the full story, because that's in the manuals (even though it's difficult to follow) and because I don't have time to write a five thousand word essay tonight. But the critical thing to really get into your head when understanding syslog is that the rules are additive -- creating some new rule to send some set of log messages to a new destination does not stop them from also going wherever they were already going. To stop them, you have to first figure out which rule is currently active and change that. Once you have accomplished that, then you can add your new rule. Another problem is that the levels cannot be selected on their own -- if you want 'info' messages, you also have to have all the higher level messages as well. This is one of the most broken parts of the syslog mess. One approach that works for lots of people is to throw away the system syslog.conf and to craft a new file from scratch, adding rules one by one with each rule going to its own file(s). When you're sick of the 'debug' messages from sendmail, you just remove its log file; but the file you have left in place to collect the more important messages will still do its job. Of course, the danger with this approach is that, if you make a mess of it, you may deprive yourself of messages that actually mattered to you. So tread carefully if you go down that road. And use the logger(1) program to send test messages and ensure they end up where you expect to see them. -- Greg Black <gjb@acm.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990222110057.15455.qmail>