I have problems filtering some messages with rsyslogd.

robin_listas · October 3, 2014, 4:13pm

Hi,

Every time a cronjob executes:


Telcontar:/etc # cat /etc/cron.d/mine
SHELL=/bin/bash
MAILTO="cer"

-3,8,13,18,23,28,33,38,43,48,53,58 * * * * news /var/lib/news/bin/cronscriptparafetchnews
-5,15,25,25,35,45,55 * * * * news /var/lib/news/bin/cronscriptparaenviarnewspendientes
-0,30 * * * * cer /home/cer/bin/dar_la_hora_en_cron hora

which have the “-” symbol in front to avoid logging.
But I get entries like these in /var/log/messages:


<1.6> 2014-10-03 15:46:12 Telcontar mtp-probe - - -  checking bus 1, device 7: "/sys/devices/pci0000:00/0000:00:1a.7/usb1/1-6"
<1.6> 2014-10-03 15:46:12 Telcontar mtp-probe - - -  bus: 1, device: 7 was an MTP device
<3.6> 2014-10-03 15:48:01 Telcontar systemd 1 - -  Starting Session 550 of user news.
<3.6> 2014-10-03 15:53:01 Telcontar systemd 1 - -  Starting Session 551 of user news.
....
<1.6> 2014-10-03 15:54:38 Telcontar mtp-probe - - -  bus: 1, device: 8 was an MTP device
<3.6> 2014-10-03 15:55:01 Telcontar systemd 1 - -  Starting Session 552 of user news.
<3.6> 2014-10-03 15:58:01 Telcontar systemd 1 - -  Starting Session 553 of user news.
<3.6> 2014-10-03 16:00:01 Telcontar systemd 1 - -  Starting Session 554 of user cer.
<3.6> 2014-10-03 16:00:01 Telcontar systemd 1 - -  Starting Session 556 of user cer.
<3.6> 2014-10-03 16:00:01 Telcontar systemd 1 - -  Starting Session 555 of user root.
<1.6> 2014-10-03 16:00:01 Telcontar run-crons 20264 - -  suse.de-snapper: OK

So I say, filter them out in “/etc/rsyslog.conf”:



*.*;mail.crit;news.crit      -/var/log/allmessages;RSYSLOG_SyslogProtocol23Format #RSYSLOG_FileFormat

....

if      ($msg contains 'Started Session' and $msg contains 'of user')
then    -/var/log/purged.log
&       stop

if       ($programname startswith 'org.gtk.' and $msg contains '### debug:')
then    -/var/log/purged.log
&       stop

....

*.*;mail.none;news.none      -/var/log/messages

So, I get the expected entries in “/var/log/purged.log”:


<1.6> 2014-10-03 15:46:12 Telcontar org.gtk.Private.MTPVolumeMonitor 5522 - -  ### debug: emit_signal: 0x6ab630
<3.6> 2014-10-03 15:48:01 Telcontar systemd 1 - -  Started Session 550 of user news.
<3.6> 2014-10-03 15:53:01 Telcontar systemd 1 - -  Started Session 551 of user news.
<1.6> 2014-10-03 15:54:31 Telcontar org.gtk.Private.MTPVolumeMonitor 5522 - -  ### debug: emit_signal: 0x6ab630
<1.6> 2014-10-03 15:54:38 Telcontar org.gtk.Private.MTPVolumeMonitor 5522 - -  ### debug: emit_signal: 0x7f5f440035e0
<3.6> 2014-10-03 15:55:01 Telcontar systemd 1 - -  Started Session 552 of user news.
<3.6> 2014-10-03 15:58:01 Telcontar systemd 1 - -  Started Session 553 of user news.
<3.6> 2014-10-03 16:00:01 Telcontar systemd 1 - -  Started Session 554 of user cer.
<3.6> 2014-10-03 16:00:01 Telcontar systemd 1 - -  Started Session 556 of user cer.
<3.6> 2014-10-03 16:00:01 Telcontar systemd 1 - -  Started Session 555 of user root.

But, as you see (on the “/var/log/messages” higher up on this post), the “systemd” lines do not disapear from the log, whereas the “org.gtk.” do.
The “& stop” line is ignored in one of the cases.

Why?
Why are systemd entries exempt from complying with my rules?

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)