View previous topic :: View next topic |
Author |
Message |
dj_farid l33t
Joined: 14 Jun 2004 Posts: 613
|
Posted: Sat Oct 16, 2004 5:30 pm Post subject: Cron message every 10 minutes in /var/log/message... |
|
|
Is it really necessary to have these in the log?
Quote: | Oct 16 18:50:00 gen2 CRON[8411]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Oct 16 19:00:00 gen2 CRON[8425]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Oct 16 19:00:00 gen2 CRON[8428]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)
|
That's prettymuch everything I have in my log. Is it really necessary to log all this cron activity? Just wondering. |
|
Back to top |
|
|
firephoto Veteran
Joined: 29 Oct 2003 Posts: 1612 Location: +48° 5' 23.40", -119° 48' 30.00"
|
Posted: Sat Oct 16, 2004 5:49 pm Post subject: |
|
|
Not sure if you're using syslog-ng but if you are you can put this at the end of your /etc/syslog-ng/syslog-ng.conf
Code: |
filter f_not_cron_test { not facility(cron) or not match("test"); };
log { source(src); filter(f_not_cron_test); destination(messages); };
log { source(src); filter(f_not_cron_test); destination(console_all); };
|
One/some of those lines might already be there, but you'll figure it out. |
|
Back to top |
|
|
dj_farid l33t
Joined: 14 Jun 2004 Posts: 613
|
Posted: Sat Oct 16, 2004 10:41 pm Post subject: |
|
|
Thanks! Yes it is syslog-ng that I have.
I added those lines. Now it's just to wait and see if those lines disappeared.
I thought that the way to do that right was to do something in cron, so that it is not reporting to syslog-ng. I wasn't thinking of just filtering the messages in syslog...
Oh there it is again. Do I have to restart syslog-ng after changing the conf-file? |
|
Back to top |
|
|
firephoto Veteran
Joined: 29 Oct 2003 Posts: 1612 Location: +48° 5' 23.40", -119° 48' 30.00"
|
Posted: Sat Oct 16, 2004 11:30 pm Post subject: |
|
|
I think you do have to restart it most likely.
I had the same problem when I switched loggers, I had a big log file full of cron tests. |
|
Back to top |
|
|
dj_farid l33t
Joined: 14 Jun 2004 Posts: 613
|
Posted: Sat Oct 16, 2004 11:39 pm Post subject: |
|
|
I restarted it but I still get those messages every 10 minutes...
This is my /etc/syslog-ng/syslog-ng.conf:
Quote: |
options {
long_hostnames(off);
sync(0);
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
destination console_all { file("/dev/tty12"); };
/dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
filter f_not_cron_test { not facility(cron) or not match("test"); };
log { source(src); filter(f_not_cron_test); destination(messages); };
log { source(src); filter(f_not_cron_test); destination(console_all); };
|
Quote: |
Oct 17 01:26:42 gen2 syslog-ng[4947]: new configuration initialized
Oct 17 01:26:42 gen2 syslog-ng[4947]: Changing permissions on special file /dev/tty12
Oct 17 01:26:42 gen2 syslog-ng[4947]: Changing permissions on special file /dev/tty12
Oct 17 01:26:42 gen2 syslog-ng[4947]: new configuration initialized
Oct 17 01:26:41 gen2 syslog-ng[4947]: SIGHUP received, restarting syslog-ng
Oct 17 01:30:00 gen2 CRON[9445]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
|
As you can see the testline is still there after the restart... |
|
Back to top |
|
|
firephoto Veteran
Joined: 29 Oct 2003 Posts: 1612 Location: +48° 5' 23.40", -119° 48' 30.00"
|
Posted: Sat Oct 16, 2004 11:54 pm Post subject: |
|
|
dj_farid wrote: | I restarted it but I still get those messages every 10 minutes...
This is my /etc/syslog-ng/syslog-ng.conf:
Code: |
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
|
|
Lose those two lines and you should be good. |
|
Back to top |
|
|
dj_farid l33t
Joined: 14 Jun 2004 Posts: 613
|
Posted: Sun Oct 17, 2004 12:34 am Post subject: |
|
|
Great! Thanks! |
|
Back to top |
|
|
stdPikachu Apprentice
Joined: 10 Mar 2004 Posts: 254 Location: UK
|
Posted: Fri Jun 22, 2007 2:04 pm Post subject: |
|
|
I'm still trying to get my head around all of this.
I've already set up a filter to have my cron output redirected to /var/log/cron.log; how do I stop the useless test -x messages being logged along with it? Is it just a matter of creating a new destination (i.e. /dev/null) and setting up a filter that greps for cron test messages? I think my problem is that I see the syntax as back-asswards; "filter not facility cron" reads to me like it's filtering everything that isn't cron.
Code: | prospero ~ # cat /etc/syslog-ng/syslog-ng.conf
# /etc/syslog-ng/syslog-ng.conf
# From the Gentoo Linux Security Guide
# http://www.gentoo.org/doc/en/gentoo-security.xml
# Creative Commons - Attribution / Share Alike License
# http://creativecommons.org/licenses/by-sa/2.0
options { long_hostnames(off); sync(0); stats(21600);};
#source where to read log
source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
#define destinations
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
# Should be maillog (Without dot) as it was the default on logwatch
destination mail { file("/var/log/maillog"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
destination ldap { file("/var/log/ldap/slapd.log"); };
#create filters
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
filter f_ldap { program("slapd"); };
# Filter for stupid cron output
filter f_cron_notest { not facility(cron) or not match("test"); };
#connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_ldap); destination(ldap); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#default log
log { source(src); destination(console_all); }; |
|
|
Back to top |
|
|
timeBandit Bodhisattva
Joined: 31 Dec 2004 Posts: 2719 Location: here, there or in transit
|
Posted: Fri Jun 22, 2007 2:19 pm Post subject: |
|
|
stdPikachu wrote: | I think my problem is that I see the syntax as back-asswards; "filter not facility cron" reads to me like it's filtering everything that isn't cron. |
That's exactly what it's doing.
You just need to reverse your sense of "filter" in this context: filter in not filter out. The filters in syslog-ng define messages you want to accept, not ones you want to reject. So "not facility cron" accepts every message except those from the cron facility. _________________ Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
Back to top |
|
|
stdPikachu Apprentice
Joined: 10 Mar 2004 Posts: 254 Location: UK
|
Posted: Tue Jul 03, 2007 1:02 pm Post subject: |
|
|
Doesn't that mean that if I leave these filter entries out entirely I will, by default, not log these bloody annoying cron messages? Obviously that doesn't work, but I'm failing to see how to refuse these messages with my syslog-ng setup.
I'm just about to try a "destination null { file("/dev/null"); };" to see if that'll make any difference. In the meantime, is there any reason that this cron job can't be deleted entirely from /etc/crontab? As far as I can tell all it's doing is checking that run-crons is executable; won't this always be the case? |
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Tue Jul 03, 2007 7:55 pm Post subject: |
|
|
stdPikachu wrote: | Doesn't that mean that if I leave these filter entries out entirely I will, by default, not log these bloody annoying cron messages? Obviously that doesn't work, but I'm failing to see how to refuse these messages with my syslog-ng setup. |
As long as you do not use a filter statement in your log lines think of a implicit filter like 'match everything'.
For everything else it works like
Example1: Starting with the easy one Code: | destination test { file("/var/log/testlog"); };
filter f_test { match("foo") or match("bar"); };
log { source(src); filter(f_test); destination(test); }; |
logger foo - will be logged
logged bar - will be logged
logger foo bar - will be logged
pretty easy and obvious, isn't it? Ok then, lets go on
Example2: the filter line is changed to Code: | filter like filter f_test { match("foo") or not match("bar"); }; |
logger foo - will be logged
logged bar - will _not_ be logged
logger foo bar - will be logged
Expected that? Ok, annother one
example3: the filter is again changed, now to read as Code: | filter f_test { not match("foo") or not match("bar"); }; |
logger foo - will be logged
logged bar - will be logged
logger foo bar - will _not_ be logged
In your case what you want is
a) all messages with facility cron in the file /var/log/cron.log
b) _not_ log messages with facility cron _and_ matching the filter 'test', all others should still be logged
would give a setup like Code: | destination test { file("/var/log/testlog"); };
filter f_test { match("foo"); };
filter f_test2 { not match("bar"); };
log { source(src); filter(f_test); filter(f_test2); destination(test); }; |
logger foo - will be logged
logged bar - will _not_ be logged
logger foo bar - will _not_ be logged
logger foo something - will be logged _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
|