1 |
Daniel Campbell posted on Thu, 26 Dec 2013 22:02:31 -0600 as excerpted: |
2 |
|
3 |
> On 12/25/2013 08:43 AM, Duncan wrote: |
4 |
>> |
5 |
>> I [replaced vixie-cron with cronie] too, a few days ago. |
6 |
>> |
7 |
>> TL;DR: Drop-in but for the log-spamming. =:^( |
8 |
>> |
9 |
>> While cronie itself was simple and drop-in for vixie-cron, it DID start |
10 |
>> rather severely log-spamming, IIRC four log-lines every 10 minutes when |
11 |
>> the run-crons ran. |
12 |
|
13 |
> Could you share the lines that provided the filtering? I'm sure it would |
14 |
> help others. Your e-mail led me to check my logs to see if I have the |
15 |
> same, but I don't know where to look. |
16 |
|
17 |
I think I mentioned that I'm using syslog-ng here. ~arch, so version |
18 |
3.4.6. Stable 3.4.2 should be similar but it may not be identical. |
19 |
|
20 |
I had started to post a big long explanation, but then decided simply |
21 |
posting my entire syslog-ng.conf file with a shorter explanation would be |
22 |
better. There's nothing really private in it. |
23 |
|
24 |
The way I handle filters is to setup the original message-selecting |
25 |
filters first, then combine them with AND NOT as appropriate in a second- |
26 |
level message-rejecting filter. I have two sets of filters, thus two |
27 |
second level filters into which the others feed, the spam filters and the |
28 |
category filters. |
29 |
|
30 |
The category filters are setup to select a particular category of |
31 |
messages; for instance, all messages from cron. The category selecting |
32 |
filter is then used in a log section, to route the selected messages to a |
33 |
particular file. The second level rejecting filter is in turn used to |
34 |
filter out all the categorized messages from the log stream going to the |
35 |
generic messages file, so it doesn't get the categorized messages and is |
36 |
thus less noisy, making it easier to process what /does/ come thru. |
37 |
|
38 |
The spam filters are setup similarly, with individual selection filters |
39 |
and a single second level rejection filter, except I don't want to log |
40 |
those messages at all, so the only thing the selection filters are used |
41 |
for is to feed into the rejection filter. Still, that seemed the simplest |
42 |
and most logical way to handle it, to me. |
43 |
|
44 |
Setup that way, the log sections stay short and simple, not the hairball |
45 |
of individual selection and rejection filters they could become otherwise. |
46 |
|
47 |
OK, the file is included inline after my sig, below... (Since I |
48 |
use pan for my lists via nntp://news.gmane.org, and pan normally yencodes |
49 |
attachments for USENET posting while most mail clients don't handle yenc, |
50 |
I won't try attaching the file that way as it'd come thru as gibberish to |
51 |
most. I could inline UUE it, but as it's text anyway, I'll post it inline |
52 |
with auto-wrapping off and hope it doesn't get mangled.) |
53 |
|
54 |
-- |
55 |
Duncan - List replies preferred. No HTML msgs. |
56 |
"Every nonfree program has a lord, a master -- |
57 |
and if you use the program, he is your master." Richard Stallman |
58 |
|
59 |
|
60 |
|
61 |
|
62 |
@version: 3.4 |
63 |
@include "scl.conf" |
64 |
# /etc/syslog-ng/syslog-ng.conf |
65 |
# JED: don't etc-update replace! |
66 |
|
67 |
################################################################################# |
68 |
######### Options: syslog-ng general options ######### |
69 |
################################################################################# |
70 |
|
71 |
options { |
72 |
threaded(yes); |
73 |
stats_freq (43200); |
74 |
mark_freq (3600); |
75 |
}; |
76 |
|
77 |
|
78 |
################################################################################# |
79 |
######### Sources: where messages come from ######### |
80 |
################################################################################# |
81 |
|
82 |
source src { |
83 |
system(); |
84 |
internal(); |
85 |
}; |
86 |
|
87 |
################################################################################# |
88 |
######### Destinations: where messages go ######### |
89 |
################################################################################# |
90 |
|
91 |
# NOTE: Default destination output format template |
92 |
# (admin guide section 11.1.2, templates and macros) |
93 |
|
94 |
#template default { |
95 |
# (template("${ISODATE} ${HOST} ${MSGHDR}${MSG}\n"); |
96 |
# template_escape(no); |
97 |
#}; |
98 |
|
99 |
# ${MSGHDR} further defines to "PROGRAM[PID]: " (note trailing space), |
100 |
# with a kernel MSGHDR obviously lacking [PID], so... |
101 |
|
102 |
# final format is: ISODATE HOST PROGRAM[PID] MSG(=content) |
103 |
|
104 |
################################################### |
105 |
|
106 |
# global destinations |
107 |
|
108 |
destination messages { |
109 |
file ("/var/log/messages"); |
110 |
}; |
111 |
|
112 |
destination log-tty { |
113 |
file ("/dev/tty12"); |
114 |
}; |
115 |
|
116 |
# for programs like xconsole using /dev/console... |
117 |
#destination dev-console { |
118 |
# file ("/dev/console"); |
119 |
#}; |
120 |
|
121 |
################################################### |
122 |
|
123 |
# categorized destinations |
124 |
|
125 |
destination IPTables { |
126 |
file ("/var/log/iptables"); }; |
127 |
|
128 |
destination dhcpcd { |
129 |
file ("/var/log/dhcpcd"); |
130 |
}; |
131 |
|
132 |
destination cron { |
133 |
file ("/var/log/cron"); |
134 |
}; |
135 |
|
136 |
destination portage { |
137 |
file ("/var/log/portage-msg"); |
138 |
}; |
139 |
|
140 |
################################################################################# |
141 |
######### Filters: which messages ######### |
142 |
################################################################################# |
143 |
|
144 |
# log-spam pre-filters, combined in spam-global, below |
145 |
|
146 |
# sudo has its own, better log, but pam_unix spams it to syslog too |
147 |
filter spam-sudo { |
148 |
program ("sudo") |
149 |
;}; |
150 |
|
151 |
# 2013.1217 kernel type=1006 (AUDIT_LOGIN) auditing enabled and logging |
152 |
# on cron's 10-minute run-crons. |
153 |
# kernel: type=1006 audit(1387288201.202:209): pid=5760 uid=0 old auid=501 |
154 |
# new auid=0 old ses=2 new ses=208 res=1 |
155 |
filter spam-audit { |
156 |
program ("kernel") |
157 |
and message ("type=1006 audit") |
158 |
;}; |
159 |
|
160 |
##################### |
161 |
|
162 |
# Combine all the log-spam filters into one |
163 |
|
164 |
filter spam-global { |
165 |
not filter (spam-audit) |
166 |
and not filter (spam-sudo) |
167 |
;}; |
168 |
|
169 |
################################################### |
170 |
|
171 |
# Category filters |
172 |
|
173 |
filter cat-IPTables { |
174 |
message ("IPTables:") |
175 |
;}; |
176 |
|
177 |
filter cat-dhcpcd { |
178 |
program ("dhcpcd") |
179 |
;}; |
180 |
|
181 |
filter cat-cron { |
182 |
program ("crond?" flags("ignore-case")) |
183 |
;}; |
184 |
|
185 |
filter cat-portage { |
186 |
message (" portage") |
187 |
;}; |
188 |
|
189 |
##################### |
190 |
|
191 |
# /not/ the cat-filters above |
192 |
|
193 |
filter cat-not { |
194 |
not filter (cat-IPTables) |
195 |
and not filter (cat-dhcpcd) |
196 |
and not filter (cat-cron) |
197 |
and not filter (cat-portage) |
198 |
;}; |
199 |
|
200 |
################################################################################# |
201 |
######### Logs: connect sources, filters, destinations ######### |
202 |
################################################################################# |
203 |
|
204 |
# general case, minus the categorized, below |
205 |
|
206 |
log { |
207 |
source (src); |
208 |
filter (spam-global); |
209 |
filter (cat-not); |
210 |
destination (messages); |
211 |
}; |
212 |
|
213 |
log { |
214 |
source (src); |
215 |
filter (spam-global); |
216 |
filter (cat-not); |
217 |
destination (log-tty); |
218 |
}; |
219 |
|
220 |
################################################### |
221 |
|
222 |
# These categorize |
223 |
|
224 |
log { |
225 |
source (src); |
226 |
filter (cat-IPTables); |
227 |
destination (IPTables); |
228 |
}; |
229 |
|
230 |
log { |
231 |
source (src); |
232 |
filter (cat-cron); |
233 |
destination (cron); |
234 |
}; |
235 |
|
236 |
log { |
237 |
source (src); |
238 |
filter (cat-dhcpcd); |
239 |
destination (dhcpcd); |
240 |
}; |
241 |
|
242 |
log { |
243 |
source (src); |
244 |
filter (cat-portage); |
245 |
destination (portage); |
246 |
}; |