Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

rsyslog .conf new lines has no effect on journalctl output

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
postcd
Posts: 133
Joined: 2022-01-08 18:33
Has thanked: 48 times
Been thanked: 2 times

rsyslog .conf new lines has no effect on journalctl output

#1 Post by postcd »

Hello,

on Debian 11 with 5.10.0-19-amd64 is $ rsyslogd -v

Code: Select all

rsyslogd  8.2102.0 (aka 2021.02) compiled with:
        PLATFORM:                               x86_64-pc-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        systemd support:                        Yes
        Config file:                            /etc/rsyslog.conf
        PID file:                               /run/rsyslogd.pid
I have tried to prepend and append lines:

Code: Select all

*.* stop
:syslogtag, isequal, "Tor" stop
:programname, isequal, "Tor" stop
to /etc/rsyslog.conf and to /etc/rsyslog.d/123-custom.conf

sudo systemctl restart rsyslog.service && systemctl status rsyslog.service;date

but it never stop showing Tor log lines in output of "sudo journalctl --since=today|grep tor|grep -v deprecated|tail"

So how to make it not record tor log lines and those containing "bad phrase"?
:msg, contains, "bad phrase" stop
:rawmsg, contains, "bad phrase" ~

no luck

$ sudo grep -v "#" /etc/rsyslog.conf|grep .

Code: Select all

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
*.=debug;\
        auth,authpriv.none;\
        mail.none               -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail.none               -/var/log/messages
*.emerg                         :omusrmsg:*
*.* stop
:syslogtag, isequal, "Tor" stop
:programname, isequal, "Tor" stop
Thank You

CwF
Global Moderator
Global Moderator
Posts: 2625
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 190 times

Re: rsyslog .conf new lines has no effect on journalctl output

#2 Post by CwF »

Actually rsyslog.deb is on my list of packages to purge. I have not tested the result, but it is independent to journalctl as far as I know.

postcd
Posts: 133
Joined: 2022-01-08 18:33
Has thanked: 48 times
Been thanked: 2 times

Re: rsyslog .conf new lines has no effect on journalctl output

#3 Post by postcd »

I think that i may have been confused by following (it is just a theory):

Possibly rsyslogd configured as mentioned really affect log files like syslog file BUT it maybe does not affect "sudo journalctl" output as it may be separate thing that possibly can not be influenced by rsyslog or any other default tool available for Deb. stable.
I was checking journalctl, not log files itself. I see that i am unable to find any /var/log file containing mine filtered-out messages, but journalctl contain it. Maybe journalctl is not based on log files then.
Question would then be if i can prevent logging it to journalctl without the need to bother filtering it out from its output.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 45 times

Re: rsyslog .conf new lines has no effect on journalctl output

#4 Post by reinob »

@postcd,

The actual log device (/dev/log) is controlled/owned by journald, which in turn can (if so configured, but this is the default) forward events to rsyslogd. The journal will have everything*, while for syslog you will have what you have configured, etc.

[*] note that systemd-journald can miss events due to rate limiting, so depending on your needs, you may have to adjust that.

Post Reply