0

I have a litte problem. I dont know ho to filter cron jobs in syslog-ng. It's spamming my log. 

Jun 05 16:09:01  CRON:  pam_unix(cron:session): session opened for user root by (uid=0) 
Jun 05 16:09:01  /USR/SBIN/CRON:  (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] && /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)) 
Jun 05 16:09:01  CRON:  pam_unix(cron:session): session closed for user root

I tried to use filter but it didn't work.

  filter test { match("[ -x /usr/lib/php5/maxlifetime ]"); };
  log { source(src); filter(test); destination{d_null}; flags(final); };
Sven
  • 98,649
  • 14
  • 180
  • 226
Jakub Doležal
  • 21
  • 3
  • Why is this a problem? If your log files get too big, adapt your `logrotate` settings. – Sven Jun 05 '15 at 16:59
  • I don't need this message every hour in my log. They have log size limitation on pappertrail. – Jakub Doležal Jun 05 '15 at 17:04
  • @JakubDoležal or you could configure `syslog` to drop these messages. Add `*.*;auth,authpriv,cron.none -/var/log/syslog` to `syslog.conf`, restart `syslogd`. – 7y7 Jun 05 '15 at 20:18

1 Answers1

0

You're misunderstanding how filters are applied. While this filter and log line does exactly what you're asking them to, they don't affect the other log commands that you have elsewhere in your config.

Instead of directing this filter to /dev/null, you should use it to exclude messages matching the filter in the filter statement for the regular cron log. Since you don't include your full syslog config, I can't be sure that the line below will match perfectly, but here's an example on how to select all cron lines except the ones matching your filter:

filter f_cron { facility(cron) and not filter(test); };
Jenny D
  • 27,780
  • 21
  • 75
  • 114