I want to stop rsyslog logging these messages.
[168707.740364] TCP: Peer 192.168.100.1:46199/41503 unexpectedly shrunk window 2027330493:2027331431 (repaired)
I tried this in the /etc/rsyslog.conf but the messages are still logged.
if $msg contains 'unexpectedly' then /dev/null
Can anyone point me in the right direction?
If you use a recent version of rsyslog (7 for example), you need to do
& stop
after your message. Failing to do so will give you
warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
rsyslog needs a statement to stop logging after the match. Add this line immediately after the if statement you already have.
& ~
You may also need to move both statement up in the conf file so that they are parsed before some of the other statements which might be logging them to messages. I change my rsyslog config to look like the following
/etc/rsyslog.conf ($IncludeConfig /etc/rsyslog.d/*.conf)
/etc/rsyslog.d/40-specificdaemon.conf
/etc/rsyslog.d/99-general.conf
This ensures the order I want and makes it easy for config management to push out updates.
These 2 commands seems to be working for me to stop logging lines containing "unexpectedly shrunk":
echo ":msg, contains, \"unexpectedly shrunk\" stop"|sudo tee -a /etc/rsyslog.d/123-custom.conf
sudo systemctl restart rsyslog.service && systemctl status rsyslog.service
That .conf file then contains:
:msg, contains, "unexpectedly shrunk" stop
and you can add same text on second line while using another string which you do not want to be logged. Journalctl continue to show that lines, but log files no longer contain it.
The command is "$stop", not "$ stop". There's a huge difference there.
