3

I have rsyslog installed and I am listening to a log stream from a device.

The problem I'm having is that before I start saving the device's own log lines, some lines are generated that correspond to the rsyslog itself.

Someone can tell me how to avoid storing these log lines of rsyslog please.

2017-10-24T10:06:34.154576+02:00 server01 systemd: Stopping System Logging Service...
2017-10-24T10:06:34.162868+02:00 server01 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0" x-pid="20241" x-info="http://www.rsyslog.com"] exiting on signal 15.
2017-10-24T10:06:34.220188+02:00 server01 systemd: Stopped System Logging Service.
2017-10-24T10:07:25.999915+02:00 server01 systemd: Starting System Logging Service...

Currently in the configuration file, I have tried this data, but it still stores the rsyslog lines that I'm not interested in.

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
*.info;mail.none;auth.none;authpriv.none;cron.none;local0.none;kern.none     action(type="omfile" file="/var/log/mylogs")
HBruijn
  • 77,029
  • 24
  • 135
  • 201
xav
  • 153
  • 2
  • 5

1 Answers1

0

You need the discard operator (~) for rsyslog. For example, the following is a way to discard this message:

:msg,contains,"Stopping System Logging" ~

Also you need to check which order these rules are being evaluated. I would suggest to create a separate file like /etc/rsyslog.d/01-discard.conf and then put the discard statement there. Basically, you need to make sure the discard gets evaluated before everything else.

Tux_DEV_NULL
  • 1,093
  • 7
  • 11
  • I have seen that commented on these two lines of the module section `#$ModLoad imuxsock` `#$ModLoad imjournal` Logs sent by the device only are saved, which is perfect. But after a while of receiving, he stops receiving. – xav Oct 24 '17 at 13:59