#140 logging to multiple destinations

open
nobody
None
5
2007-07-06
2007-07-06
Anonymous
No

If i understand correctly, iptables/shorewall only logs to "kern" facility and bandwidth monitoring uses the "debug" level to perform it's bandwidth logging.

The problem is, besides the default log file '/var/log/bandwidth' that is created (and rotated every hour), the same logging is going to 'kern.log', 'syslog' and 'debug' log files...

When using syslog-ng, part of this issue can be mitigated with a quick hack:

filter f_syslog {
not facility(auth , authpriv)
and not ( facility(kern) and level(debug) );
};
filter f_kern {
facility(kern)
and not level(debug);
};

Note: this is using ubuntu 6.10, but should occur in a similar way on other linux distros aswell.

Discussion

  • Jamie Cameron

    Jamie Cameron - 2007-07-06

    Logged In: YES
    user_id=129364
    Originator: NO

    I can see how this could be a problem .. but it is not practical for Webmin to reverse-engineer a syslog-ng configuration to add the appropriate 'not' conditions to exclude debug logs. Doubly so for syslog-ng, as its config file is almost a programming language!

     
  • Jamie Cameron

    Jamie Cameron - 2007-07-06
    • labels: 687471 -->
    • assigned_to: jcameron --> nobody
     
  • Nobody/Anonymous

    Logged In: NO

    Hacking the syslog config is definitely not a fix for webmin, but the growth rate is really becoming an issue:
    root:~# ls -l /var/log/debug && sleep 5 && ls -l /var/log/debug
    -rw-r----- 1 root adm 200K Jul 7 05:34 /var/log/debug
    -rw-r----- 1 root adm 226K Jul 7 05:34 /var/log/debug

    these logs can easily go over 500MB

    I also thought about filtering these messages from the logs on the rotate.pl script:
    root:~# cat /var/log/debug | grep -v 'kernel: BANDWIDTH_[OI]' >/var/log/debug

    I know overwriting them like this is probably not good practice, but it does work...

    Thanks