2

I have Centos 6 servers running openLDAP. In the rsyslog.conf, I forward the logs to my central server with this line:

*.*    @10.10.10.10:514

openldap seems incredibly chatty. I have 3 servers in a multi-master cluster. Those 3 servers generate twice as many logs as my other 80 servers combined.

I have been unsuccessful in figuring out how to tell openLDAP to use a sensible log level. (we never specifically set the log level) Since these are my main authentication sources, I'm a bit hesitant to "play around" with them. Is there a way to tell rsyslog to forward everything EXCEPT LOCAL4?

Brian
  • 1,233
  • 2
  • 14
  • 25
  • If I record correctly, yes something like local4.* -/dev/null before the forwarding rule should do the trick and discard local4 before sending it to the central server. But I'm not sure about syntax and it might depend on rsyslog version; let us know –  Oct 30 '13 at 14:35
  • I have tried that, but it doesn't seem to help (without local4 defined, I don't think the syslog info goes anywhere on the host system anyways) The *.* seems to tell rsyslog to send a COPY of everything to the remote server. Perhaps I need to specifically list out all the other options, and just not include local4 – Brian Oct 30 '13 at 16:50

1 Answers1

1

I discovered the solution. OpenLDAP uses the syslog facility LOCAL4 by default, and in my centos6 servers, that is not defined.

However, I have the 

*.*      @10.10.10.10:514

which includes local4, which was not defined elsewhere.

In order to specifically exclude (I noticed this on the line that deals with /var/log/messages) I can just do this:

*.*;local4.none         @10.10.10.10:514

I could also combine this with others, like:

*.*;local4.none;mail.debug;local7.error           @10.10.10.10:514

In the above, it appears from my testing that forwards everything, except local4, or anything "below" debug on mail, or error on local7

This appears to keep my logstash data much, much clearer.

Brian
  • 1,233
  • 2
  • 14
  • 25