View previous topic :: View next topic |
Author |
Message |
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Mon Jun 06, 2016 8:33 pm Post subject: cron and logspam |
|
|
With Gentoo's default configuration (and to be clear, it is Gentoo-supplied files causing this), running both vixie-cron and a syslog daemon leads to 90% of /var/log filling up with this useless noise:
Code: | Jun 06 13:59:01 [cron] (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)
Jun 06 14:00:01 [cron] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
- Last output repeated 5 times -
Jun 06 14:59:01 [cron] (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)
Jun 06 15:00:01 [cron] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
- Last output repeated 5 times -
Jun 06 15:59:01 [cron] (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)
Jun 06 16:00:01 [cron] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)
- Last output repeated 5 times -
Jun 06 16:59:01 [cron] (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly) |
I could just rm the preinstalled crontabs, but they'll come back with every reinstall. How have others decided to deal with this? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon Jun 06, 2016 9:49 pm Post subject: Re: cron and logspam |
|
|
Ant P. wrote: | I could just rm the preinstalled crontabs, but they'll come back with every reinstall. How have others decided to deal with this? |
Ant ... using syslog-ng:
/etc/syslog-ng/syslog-ng.conf: | filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news, cron); };
[...]
log { source(src); filter(f_messages); destination(messages); }; |
best ... khay |
|
Back to top |
|
|
ChadJoan n00b
Joined: 17 Oct 2010 Posts: 38
|
Posted: Fri May 24, 2019 10:31 pm Post subject: |
|
|
It's a few years later now, but I wanted to add some notes that would have helped me when I visited this thread
khayyam's suggestion pointed me in the right direction, but I think it would remove a lot more content than I would want. As I read it, that would only pass messages with a level between "info" and "warn", and anything from auth, authpriv, mail, news, or cron would get discarded entirely. For some users this might be fine, but for me it's too much.
To be more surgical, I created this filter in my /etc/syslog-ng/syslog-ng.conf file:
Code: | filter f_rm_cronspam {
not facility (cron) or (facility(cron) and not message("^\(.*?\) CMD.*", type(pcre)));
};
[...]
log { source(src); filter(f_rm_cronspam); destination(messages); }; |
This filter unconditionally passes any messages from things besides cron (the "not facility(cron) or..." part). Messages from cron are special-cased by the right-hand side of the or-expression, which matches cron messages ("facility(cron)") and only allows them if they don't begin with some text of the form "(...) CMD".
You can use the command to check that non-spam cron messages are still making it through: /var/log/messages should end up with something like
Code: | May 24 18:12:08 your-hostname-here crontab[54151]: (root) LIST (root) |
...in it.
For full context, here is my /etc/syslog-ng/syslog-ng.conf file at this point in time:
Code: | @version: 3.20
#
# Syslog-ng default configuration file for Gentoo Linux
# https://bugs.gentoo.org/426814
@include "scl.conf"
options {
threaded(yes);
chain_hostnames(no);
# The default action of syslog-ng is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats_freq(43200);
# The default action of syslog-ng is to log a MARK line
# to the file every 20 minutes. That's seems high for most
# people so turn it down to once an hour. Set it to zero
# if you don't want the functionality at all.
mark_freq(3600);
# Attempt to unify timestamps in /var/log/messages to localtime.
recv_time_zone('UTC');
time_zone('America/New_York');
};
source src { system(); internal(); };
filter f_rm_cronspam {
not facility (cron) or (facility(cron) and not message("^\(.*?\) CMD.*", type(pcre)));
};
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); filter(f_rm_cronspam); destination(messages); };
log { source(src); filter(f_rm_cronspam); destination(console_all); }; |
This does include some unrelated changes (the timezone stuff) and system-specific things (the version number, the timezone choice), so I advise against anyone simply copying this code into their syslog-ng.conf. Rather, this just provides an example of how it all comes together.
Be sure to run /etc/init.d/syslog-ng reload or /etc/init.d/syslog-ng restart after editing the /etc/syslog-ng/syslog-ng.conf file to make the changes go into effect. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|