Write out bind/named log messages to a different file using rsyslog

bindrsyslog

Right now, the contents of /etc/rsyslog.conf which control disposition of the named log messages looks like:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;;kern.none     /var/log/messages

Putting the following in front of that section correctly writes out the "named" messages to /var/log/named/named.log.

# Write named/bind messages to their own log file
:programname, isequal, "named"                          /var/log/named/named.log

The problem is that those "named" messages are still being written out to the /var/log/messages file. How would I modify the line that generates /var/log/messages to not write out "named" messages?

Note: This is rsyslog v5 as ships with RHEL/CentOS 6.

Addendum: The accepted answer from below is

# Write named/bind messages to their own log file, then discard (tilde)
:programname, isequal, "named"                          /var/log/named/named.log
:programname, isequal, "named"                          ~

Best Answer

Using negation can be useful if you would like to do some generic processing but exclude some specific events. You can use the discard action in conjunction with that. A sample would be:

. /var/log/allmsgs-including-informational.log

:msg, contains, "informational" ~

. /var/log/allmsgs-but-informational.log

Do not overlook the red tilde in line 2! In this sample, all messages are written to the file allmsgs-including-informational.log. Then, all messages containing the string "informational" are discarded. That means the config file lines below the "discard line" (number 2 in our sample) will not be applied to this message. Then, all remaining lines will also be written to the file allmsgs-but-informational.log.

http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Related Solutions

RSyslog – Fixing Issues with Log Files Outside /var/log

SELinux will prevent processes that are labeled syslogd_t to write to files that are (probably) labeled default_t. You need to label the file with something syslogd_t can write to. Files in /var/log are mostly labeled var_log_t, a type syslogd_t can surely write to.

You should not just relabel the files in /Testing to var_log_t, because that's bound to break at some point, when somebody executes an autorelabel at the next boot or runs restorecon -FvR /.

Instead, write a little policy that automatically and consistently labels your files in /Testing. Something to get your started. Your policy file could look similar to this:

/Testing(/.*)?    --    gen_context(system_u:object_r:var_log_t)

SELinux policy writing however, is a tad tricky. Which is why you should put stuff at the default location for that stuff.

However, I personally feel that logging should really go into /var/log. It's there for a reason. No matter how good you think your reason is for writing to /Testing, it's probably better to write to something like /var/log/testing.

Edit: no, no, no, no, no. That won't do. That was silly. You do not want to write a policy to allow syslogd_t to write to var_log_t, because that is already allowed by the default policy. You need to write filecontext rules (a .fc file), like my new snippet above, to label /Testing as var_log_t if you must...

Iptables – Remove Iptables log from kern.log syslog messages

I'm not sure where the & ~ comes from, but at least the following should perform what you want:

# Iptables
:msg,contains,"IPT IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT IN/DP: " ~
:msg,contains,"IPT6 IN/DP: " ~

Maybe not most elegant, but a similar config seems to work for me.

Best Answer

Related Solutions

RSyslog – Fixing Issues with Log Files Outside /var/log

Iptables – Remove Iptables log from kern.log syslog messages

Related Topic