Can someone tell me the proper command to save log data to " /home/bobg/xxlog" instead of filling up "var/log/messages" nothing I've tried has worked?
[bobg@box9 ~]$ less /etc/rsyslog.conf
.............. snip ................ .#$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 name/192.168.1.9:514 # ### end of the forwarding rule ###
Thanks,
Bob
On 19.08.2012, Bob Goodwin - Zuni, Virginia, USA wrote:
Can someone tell me the proper command to save log data to " /home/bobg/xxlog" instead of filling up "var/log/messages" nothing I've tried has worked?
Here's what works for me:
1. Go to /etc/sysconfig/rsyslog and add the "-r" option to the parameters for rsyslogd (as far as I know, the "-r" option has been obsoleted some time ago, and is replaced by 2., so just try or read the manpages).
2. Go to /etc/rsyslogd.conf and let the daemon listen on UDP port 514:
$ModLoad imudp $UDPServerRun 514
3. Go to /etc/rsyslog.d and create an empty file. Write this into it:
:source, isequal, "sunshine" /var/log/tomato.log :source, isequal, "sunshine" ~
Replace "sunshine" with your routers name, or use its IP.
4. Restart rsyslogd:
systemctl restart syslog.service
That's it.
On 08/20/2012 12:53 AM, Heinz Diehl wrote:
On 19.08.2012, Bob Goodwin - Zuni, Virginia, USA wrote:
Can someone tell me the proper command to save log data to " /home/bobg/xxlog" instead of filling up "var/log/messages" nothing I've tried has worked?
Here's what works for me:
- Go to /etc/sysconfig/rsyslog and add the "-r" option to the
parameters for rsyslogd (as far as I know, the "-r" option has been obsoleted some time ago, and is replaced by 2., so just try or read the manpages).
- Go to /etc/rsyslogd.conf and let the daemon listen on UDP port 514:
$ModLoad imudp $UDPServerRun 514
- Go to /etc/rsyslog.d and create an empty file. Write this into it:
:source, isequal, "sunshine" /var/log/tomato.log :source, isequal, "sunshine" ~
Replace "sunshine" with your routers name, or use its IP.
- Restart rsyslogd:
systemctl restart syslog.service
That's it.
And don't forget to open port 514 if you are running a firewall on the rsyslog host. It is closed by default.
On 19/08/12 15:44, Ed Greshko types:
On 08/20/2012 12:53 AM, Heinz Diehl wrote:
On 19.08.2012, Bob Goodwin - Zuni, Virginia, USA wrote:
Can someone tell me the proper command to save log data to " /home/bobg/xxlog" instead of filling up "var/log/messages" nothing I've tried has worked?
Here's what works for me:
- Go to /etc/sysconfig/rsyslog and add the "-r" option to the
parameters for rsyslogd (as far as I know, the "-r" option has been obsoleted some time ago, and is replaced by 2., so just try or read the manpages).
- Go to /etc/rsyslogd.conf and let the daemon listen on UDP port 514:
$ModLoad imudp $UDPServerRun 514
- Go to /etc/rsyslog.d and create an empty file. Write this into it:
:source, isequal, "sunshine" /var/log/tomato.log :source, isequal, "sunshine" ~
Replace "sunshine" with your routers name, or use its IP.
- Restart rsyslogd:
systemctl restart syslog.service
That's it.
And don't forget to open port 514 if you are running a firewall on the rsyslog host. It is closed by default.
It shows 514 UDP open.
But I still can/t get anything into /var/log/tomato.log. It keeps filling up /var/log/messages, about 2 megs so far today! I'm still missing something.
I changed this since the option -r doesn't seem to be used.
/etc/sysconfig/rsyslog
# Options for rsyslogd # Syslogd options are deprecated since rsyslog v3. # If you want to use them, switch to compatibility mode 2 by "-c 2" # See rsyslogd(8) for more details SYSLOGD_OPTIONS="-c 2"
And created this:
[bobg@box9 rsyslog.d]$ cat emptyfile # /etc/rsyslog.d/emptyfile
:source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~
Actually I even tried naming it emptyfile.conf out of desperation.
Nothing is ever easy!
Bob .
-- http://www.qrz.com/db/W2BOD
box9
On 19.08.2012, Bob Goodwin - Zuni, Virginia, USA wrote:
[bobg@box9 rsyslog.d]$ cat emptyfile # /etc/rsyslog.d/emptyfile
:source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~
Actually I even tried naming it emptyfile.conf out of desperation.
My bad, a big sorry! This file MUST have a .conf ending, otherwise it will be ignored. Look into /etc/rsyslog.conf why; it contains these lines:
# Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf
So after rsyslog.conf, rsyslogd is sourcing all files which ends on .conf in /etc/rsyslog.d.
Nothing is ever easy!
This is strange. I'm running Tomato 1.28 on a WRT-54GL (Linksys/Cisco), and it logs perfectly into the file I defined in the config, using the modifications from my mail.
Just to be absolutely shure: did you configure the logging options in Tomato correctly?
Hmm, strange... could you try this: look in your Tomato setup in "Basic -> Identification" and see if there is a router name defined. Replace the IP with this name in the file in /etc/rsyslog.d and restart the service. Does it work now?
On 19/08/12 17:11, Heinz Diehl types:
On 19.08.2012, Bob Goodwin - Zuni, Virginia, USA wrote:
[bobg@box9 rsyslog.d]$ cat emptyfile # /etc/rsyslog.d/emptyfile :source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~ Actually I even tried naming it emptyfile.conf out of desperation.
My bad, a big sorry! This file MUST have a .conf ending, otherwise it will be ignored. Look into /etc/rsyslog.conf why; it contains these lines:
# Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf
So after rsyslog.conf, rsyslogd is sourcing all files which ends on .conf in /etc/rsyslog.d.
Nothing is ever easy!
This is strange. I'm running Tomato 1.28 on a WRT-54GL (Linksys/Cisco), and it logs perfectly into the file I defined in the config, using the modifications from my mail.
Just to be absolutely shure: did you configure the logging options in Tomato correctly?
Hmm, strange... could you try this: look in your Tomato setup in "Basic -> Identification" and see if there is a router name defined. Replace the IP with this name in the file in /etc/rsyslog.d and restart the service. Does it work now?
This is what I see there. Host name would be box9, 192.168.1.9, or localhost. I tried all three.
Router Identification
Router Name tomato Hostname localhost Domain Name
and I changed to:
/etc/rsyslog.d/emptyfile
:source, isequal, tomato /var/log/tomato.log :source, isequal, tomato ~
Still zero data in /var/log/tomato.log
[root@box9 rsyslog.d]# ll /var/log/tomato.log -rw-rw-r--. 1 root root 0 Aug 19 13:45 /var/log/tomato.log
On 19/08/12 17:11, Heinz Diehl types:
On 19.08.2012, Bob Goodwin - Zuni, Virginia, USA wrote:
[bobg@box9 rsyslog.d]$ cat emptyfile # /etc/rsyslog.d/emptyfile :source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~ Actually I even tried naming it emptyfile.conf out of desperation.
My bad, a big sorry! This file MUST have a .conf ending, otherwise it will be ignored. Look into /etc/rsyslog.conf why; it contains these lines:
# Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf
So after rsyslog.conf, rsyslogd is sourcing all files which ends on .conf in /etc/rsyslog.d.
Nothing is ever easy!
This is strange. I'm running Tomato 1.28 on a WRT-54GL (Linksys/Cisco), and it logs perfectly into the file I defined in the config, using the modifications from my mail.
Just to be absolutely shure: did you configure the logging options in Tomato correctly?
Hmm, strange... could you try this: look in your Tomato setup in "Basic -> Identification" and see if there is a router name defined. Replace the IP with this name in the file in /etc/rsyslog.d and restart the service. Does it work now?
And I changed file name, missed that on the last change.
[root@box9 rsyslog.d]# cat emptyfile.conf # /etc/rsyslog.d/emptyfile
:source, isequal, tomato /var/log/tomato.log :source, isequal, tomato ~
Same result though.
-- http://www.qrz.com/db/W2BOD
box9
On 08/20/2012 06:17 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
And I changed file name, missed that on the last change.
[root@box9 rsyslog.d]# cat emptyfile.conf # /etc/rsyslog.d/emptyfile
:source, isequal, tomato /var/log/tomato.log :source, isequal, tomato ~
Same result though.
FWIW, I use rsyslog to log messages from my Dlink router. I don't use the "source" method. I simply have this in my rsyslog.conf....
if $msg contains 'D-Link' then /var/log/dlink.log
since an entry from the router looks like this....
Aug 20 09:04:05 Mon Aug 20 09:04:07 2012 D-Link Systems DIR-615 System Log: Blocked incoming UDP packet from 95.17.110.3:56119 to 211.75.128.215:88
On 19/08/12 21:08, Ed Greshko responds:
FWIW, I use rsyslog to log messages from my Dlink router. I don't use the "source" method. I simply have this in my rsyslog.conf....
if $msg contains 'D-Link' then /var/log/dlink.log
since an entry from the router looks like this....
Aug 20 09:04:05 Mon Aug 20 09:04:07 2012 D-Link Systems DIR-615 System Log: Blocked incoming UDP packet from 95.17.110.3:56119 to 211.75.128.215:88
--
Well, for the first time I am saving something in /var/log/tomato.log!
[root@box9 bobg]$ ll /var/log/tomato.log -rw-rw-r--. 1 root root 266 Aug 20 10:16 /var/log/tomato.log
[root@box9 bobg]$ cat /var/log/tomato.log Aug 20 10:16:37 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal, tomato /var/log/tomato.log" Aug 20 10:16:37 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 4:":source, isequal, tomato ~"
It looks like it may want "box9" instead of "tomato" there?
On 20/08/12 10:26, Bob Goodwin - Zuni, Virginia, USA responds:
On 19/08/12 21:08, Ed Greshko responds:
FWIW, I use rsyslog to log messages from my Dlink router. I don't use the "source" method. I simply have this in my rsyslog.conf....
if $msg contains 'D-Link' then /var/log/dlink.log
since an entry from the router looks like this....
Aug 20 09:04:05 Mon Aug 20 09:04:07 2012 D-Link Systems DIR-615 System Log: Blocked incoming UDP packet from 95.17.110.3:56119 to 211.75.128.215:88
--
Well, for the first time I am saving something in /var/log/tomato.log! [root@box9 bobg]$ ll /var/log/tomato.log -rw-rw-r--. 1 root root 266 Aug 20 10:16 /var/log/tomato.log [root@box9 bobg]$ cat /var/log/tomato.log Aug 20 10:16:37 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal, tomato /var/log/tomato.log" Aug 20 10:16:37 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 4:":source, isequal, tomato ~" It looks like it may want "box9" instead of "tomato" there?
I've tried several forms:
/etc/rsyslog.d/emptyfile.conf
:source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~
But can't find the right one.
[bobg@box9 ~]$ cat /var/log/tomato.log
Aug 20 10:30:24 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal, 192.168.1.9 /var/log/tomato.log"
-- http://www.qrz.com/db/W2BOD
box9
On 08/20/2012 10:44 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
I've tried several forms:
/etc/rsyslog.d/emptyfile.conf :source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~
But can't find the right one.
I believe you need either single or double quotes around the 'value'....
:source, isequal, "192.168.1.9" /var/log/tomato.log
On 20/08/12 10:54, Ed Greshko responds:
On 08/20/2012 10:44 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
I've tried several forms:
/etc/rsyslog.d/emptyfile.conf :source, isequal, 192.168.1.9 /var/log/tomato.log :source, isequal, 192.168.1.9 ~ But can't find the right one.
I believe you need either single or double quotes around the 'value'....
:source, isequal, "192.168.1.9" /var/log/tomato.log
It doesn't seem to accept double quotes, single still yields an error message.
[bobg@box9 ~]$ cat /var/log/tomato.log
Aug 20 11:02:27 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal, '192.168.1.9' /var/log/tomato.log"
On 08/20/2012 11:29 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
It doesn't seem to accept double quotes, single still yields an error message.
[bobg@box9 ~]$ cat /var/log/tomato.log Aug 20 11:02:27 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal, '192.168.1.9' /var/log/tomato.log"
Well... All I can say at this point is....
1. I don't use :source
2. I log info from my dlink in a file which is not /var/log/messages and that is what I think you are trying to do.
3. These work just fine for me....
if $msg contains 'from 192.168.0.18' then ~ (discard messages which match) if $msg contains 'D-Link' then /var/log/dlink.log (log messages containing D-Link in dlink.log)
or
:msg, contains, "from 192.168.0.1" ~ :msg, contains, "D-Link" /var/log/dlink.log
So.... Maybe you should post a copy of the entries that are filling up your /var/log/messages file?
On 20/08/12 11:42, Ed Greshko responds:
On 08/20/2012 11:29 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
It doesn't seem to accept double quotes, single still yields an error message. [bobg@box9 ~]$ cat /var/log/tomato.log Aug 20 11:02:27 box9 rsyslogd: the last error occured in /etc/rsyslog.d/emptyfile.conf, line 3:":source, isequal, '192.168.1.9' /var/log/tomato.log"
Well... All I can say at this point is....
I don't use :source
I log info from my dlink in a file which is not /var/log/messages and that is what I think you are trying to do.
These work just fine for me....
if $msg contains 'from 192.168.0.18' then ~ (discard messages which match) if $msg contains 'D-Link' then /var/log/dlink.log (log messages containing D-Link in dlink.log)
or
:msg, contains, "from 192.168.0.1" ~ :msg, contains, "D-Link" /var/log/dlink.log
So.... Maybe you should post a copy of the entries that are filling up your /var/log/messages file?
[root@box9 bobg]# cat /var/log/messages
................ snip a few megs ................
Aug 20 11:52:44 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=3031 DF PROTO=TCP SPT=54392 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB124B0000000001030307) Aug 20 11:52:49 box9 dbus-daemon[584]: ** Message: No devices in use, exit Aug 20 11:52:55 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58958 DF PROTO=TCP SPT=54393 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB3D530000000001030307) Aug 20 11:52:55 localhost rstats[3474]: Problem loading /home/bobg/Ulog. Still trying... Aug 20 11:53:08 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=40904 DF PROTO=TCP SPT=54394 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB68E30000000001030307)
On 08/20/2012 11:58 PM, Bob Goodwin - Zuni, Virginia, USA wrote:
[root@box9 bobg]# cat /var/log/messages
................ snip a few megs ................
Aug 20 11:52:44 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=3031 DF PROTO=TCP SPT=54392 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB124B0000000001030307) Aug 20 11:52:49 box9 dbus-daemon[584]: ** Message: No devices in use, exit Aug 20 11:52:55 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=58958 DF PROTO=TCP SPT=54393 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB3D530000000001030307) Aug 20 11:52:55 localhost rstats[3474]: Problem loading /home/bobg/Ulog. Still trying... Aug 20 11:53:08 localhost kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=40904 DF PROTO=TCP SPT=54394 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01BB68E30000000001030307)
It was my understanding that you were trying to shunt log entries sent by your "router" to a file different than /var/log/messages.
What you are showing are logs generated by your "localhost" that are created by iptables. You seem to have a rule set up to log entries with "ACCEPT" which is certain to fill up your log files.
I think your "problem" is really in your iptables setup and nothing to do with rsyslog.
On 20/08/12 12:07, Ed Greshko responds:
It was my understanding that you were trying to shunt log entries sent by your "router" to a file different than /var/log/messages.
What you are showing are logs generated by your "localhost" that are created by iptables. You seem to have a rule set up to log entries with "ACCEPT" which is certain to fill up your log files.
I think your "problem" is really in your iptables setup and nothing to do with rsyslog.
Ok, but I Have not intentionally done anything to accomplish that. This must result from tomato's logging? It' internal log displays:
............ snip ............
Aug 20 12:12:09 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63002 DF PROTO=TCP SPT=54721 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CCD3640000000001030307) Aug 20 12:12:20 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59067 DF PROTO=TCP SPT=54722 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CCFE5A0000000001030307) Aug 20 12:12:31 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21891 DF PROTO=TCP SPT=54723 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CD29A40000000001030307) Aug 20 12:12:43 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=51664 DF PROTO=TCP SPT=54724 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CD57490000000001030307) Aug 20 12:12:54 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21828 DF PROTO=TCP SPT=54725 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CD825D0000000001030307) Aug 20 12:13:05 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23224 DF PROTO=TCP SPT=54726 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CDAD260000000001030307) Aug 20 12:13:07 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=173.194.79.108 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=1445 DF PROTO=TCP SPT=43864 DPT=995 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CDB7970000000001030307) Aug 20 12:13:16 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=1407 DF PROTO=TCP SPT=54728 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CDD9630000000001030307) Aug 20 12:13:18 localhost user.warn kernel: DROP IN=vlan1 OUT= MAC=20:aa:4b:a5:fe:08:00:a0:bc:22:a0:6e:08:00:45:28:00:30 SRC=95.25.51.103 DST=184.21.222.44 LEN=48 TOS=0x08 PREC=0x20 TTL=103 ID=49610 DF PROTO=TCP SPT=3940 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204 Aug 20 12:13:21 localhost user.warn kernel: DROP IN=vlan1 OUT= MAC=20:aa:4b:a5:fe:08:00:a0:bc:22:a0:6e:08:00:45:28:00:30 SRC=95.25.51.103 DST=184.21.222.44 LEN=48 TOS=0x08 PREC=0x20 TTL=103 ID=50195 DF PROTO=TCP SPT=3940 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204 Aug 20 12:13:27 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=56365 DF PROTO=TCP SPT=54729 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CE05B80000000001030307)
On 08/21/2012 12:17 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
Ok, but I Have not intentionally done anything to accomplish that. This must result from tomato's logging? It' internal log displays:
............ snip ............
Aug 20 12:12:09 localhost user.warn kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.9 DST=74.126.6.130 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63002 DF PROTO=TCP SPT=54721 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A01CCD3640000000001030307)
"tomato" is your router, right? Not a Fedora machine, right?
Those log entries are being written by "localhost". They are iptables log entries. Now, I see you having 2 choices.....
1. You could post your iptables rules and and have someone debug them. (Sleep time for me, and not an iptables expert.
2. Mask the problem by adding: :msg, contains, "ACCEPT IN" ~ to your /etc/rsyslog.conf in the appropriate place....or in a /etc/rsyslog.d/maskmyproblem.conf file.
On 20/08/12 12:28, Ed Greshko responds:
"tomato" is your router, right? Not a Fedora machine, right?
Those log entries are being written by "localhost". They are iptables log entries. Now, I see you having 2 choices.....
You could post your iptables rules and and have someone debug them. (Sleep time for me, and not an iptables expert.
Mask the problem by adding:
:msg, contains, "ACCEPT IN" ~ to your /etc/rsyslog.conf in the appropriate place....or in a /etc/rsyslog.d/maskmyproblem.conf file.
System information under status says:
System Name tomato Model Linksys WRT54G/GS/GL Time Mon, 20 Aug 2012 12:33:00 -0400 Uptime 1 day, 23:14:16 CPU Load (1 / 5 / 15 mins) 0.01 / 0.01 / 0.00 Total / Free Memory 14.19
Anyway thanks for the help and good night, I know that it's 12 hours later there.
Bob
On 08/21/2012 12:36 AM, Bob Goodwin - Zuni, Virginia, USA wrote:
System information under status says:
System Name tomato Model Linksys WRT54G/GS/GL Time Mon, 20 Aug 2012 12:33:00 -0400 Uptime 1 day, 23:14:16 CPU Load (1 / 5 / 15 mins) 0.01 / 0.01 / 0.00 Total / Free Memory 14.19
Anyway thanks for the help and good night, I know that it's 12 hours later there.
Your welcome....
FWIW, the messages your showing are *not* being *sent* by your Linksys router. 192.168.1.9 may be the IP address of that router..... BUT, the SRC is simply a portion of the message that iptables is logging and has nothing to do with :source in rsyslog.
So..... to stop filling up you logs you'll either have to address your logging problem in iptables or mask that problem. (I've never been a fan of masking problems...)
On the system with the logs filling up.... You may want to do something like "iptables -L | grep -i log" to see what is being sent to the logs. You certainly don't want to see the word "ACCEPT".
00:42 .... G'nite