View previous topic :: View next topic |
Author |
Message |
guitard00d Tux's lil' helper
Joined: 19 Dec 2003 Posts: 81 Location: Minatare, NE, USA, Earth
|
Posted: Mon Mar 01, 2004 9:28 am Post subject: Too much garbage in /var/log/messages |
|
|
Is there any way to prevent courier-imapd, courier-pop3d and maildrop from writing to /var/log/messages?
It's a case of too many cooks in the kitchen messing up the stew. I need these programs to write to their own log files so its easier to monitor things. As it stands right now, my /var/log/messages increases in size by 10 megs per day because of all the people checking their e-mail. _________________ I know you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant...
--Richard Nixon |
|
Back to top |
|
|
KingTaco Developer
Joined: 22 Aug 2003 Posts: 207 Location: Bay Area, CA
|
Posted: Mon Mar 01, 2004 6:44 pm Post subject: |
|
|
not sure if you can move the log onless you recompile, however have you tried piping you /var/log/messages through grep?
Code: | cat /var/log/messages | grep -v "pop3" | grep -v "imap" |
will remove all lines containing the words pop3 or imap. This is the way I run through my log files. (I also use courier) |
|
Back to top |
|
|
guitard00d Tux's lil' helper
Joined: 19 Dec 2003 Posts: 81 Location: Minatare, NE, USA, Earth
|
Posted: Mon Mar 01, 2004 6:53 pm Post subject: |
|
|
KingTaco wrote: | not sure if you can move the log onless you recompile, however have you tried piping you /var/log/messages through grep?
Code: | cat /var/log/messages | grep -v "pop3" | grep -v "imap" |
will remove all lines containing the words pop3 or imap. This is the way I run through my log files. (I also use courier) |
My concern is being able to read the other things in /var/log/messages without having to dig through all of the garbage. All of these entries caused by courier imapd/pop3d, maildrop and spamd just make it damn near impossible to pinpoint problems. So, to me it seems like the most logical resolution would be to force these programs to write to their own log files. Strange that their configuration files don't offer this as an option considering how obvious the need would be. _________________ I know you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant...
--Richard Nixon |
|
Back to top |
|
|
KingTaco Developer
Joined: 22 Aug 2003 Posts: 207 Location: Bay Area, CA
|
Posted: Mon Mar 01, 2004 7:05 pm Post subject: |
|
|
I take it you are trying to do something like the following:
Code: | emacs /var/log/messages |
and then read through the logs looking for certain things(invalid logins, potential hackers, etc). you can use the grep method and then redirect the output to a file and look through that. for example:
Code: | # cat /var/log/messages | grep -v "courier" > /tmp/mylog
# emacs /tmp/mylog
# rm -f /tmp/mylog
|
|
|
Back to top |
|
|
tuxwatcher Tux's lil' helper
Joined: 05 Jun 2003 Posts: 121 Location: USA
|
Posted: Mon Mar 01, 2004 7:16 pm Post subject: |
|
|
What system loger are you using (syslog-ng, metalog...) |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Mon Mar 01, 2004 7:17 pm Post subject: |
|
|
It sounds as though you're running syslog-ng. If so add the following to your syslog-ng.conf.
Code: |
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
filter f_mail { facility(mail); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
|
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
guitard00d Tux's lil' helper
Joined: 19 Dec 2003 Posts: 81 Location: Minatare, NE, USA, Earth
|
Posted: Mon Mar 01, 2004 7:21 pm Post subject: |
|
|
kashani wrote: | It sounds as though you're running syslog-ng. |
Yes, you are absolutely right. Damn, I didn't know I could modify things through the syslog-ng configuration. Thanks! _________________ I know you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant...
--Richard Nixon |
|
Back to top |
|
|
tuxwatcher Tux's lil' helper
Joined: 05 Jun 2003 Posts: 121 Location: USA
|
Posted: Mon Mar 01, 2004 7:24 pm Post subject: |
|
|
Check out the syslog-ng.conf.sample.gz on your system for a really detailed set of logs. I t is probably in /usr/share/doc/syslog-ng-1.6.0_rc3-r1. I use it minus the ppp entries. |
|
Back to top |
|
|
Accipiter Tux's lil' helper
Joined: 24 Feb 2003 Posts: 87 Location: Buffalo, NY
|
Posted: Mon Mar 29, 2004 8:35 pm Post subject: |
|
|
In response to kashani's post:
Does that configuration snippet work for the verbose output of courier-imapd? For example, during any given squirrelmail session, the following will be printed to /var/log/messages repeatedly:
Code: | Mar 29 15:15:24 omega imapd: LOGIN, user=mvaughn, ip=[127.0.0.1], protocol=IMAP
Mar 29 15:15:24 omega imapd: LOGOUT, user=mvaughn, ip=[127.0.0.1], headers=0, body=0
Mar 29 15:15:25 omega imapd: Connection, ip=[127.0.0.1] |
I am using the following configuration for this purpose:
Code: | destination messages { file("/var/log/messages"); };
destination console_all { file("/dev/tty12"); };
destination imapd { file("/var/log/imapd.log"); };
filter f_imapd { program(imapd); };
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
log { source(src); filter(f_imapd); destination(imapd); }; |
This does not, however, remove the lines I'm trying to shunt off from /var/log/messages; they still appear there, but the trick is I want them ONLY in /var/log/imapd.log. What am I missing? |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Tue Mar 30, 2004 12:21 am Post subject: |
|
|
It might be this line in my config. I'm using the old syslog-ng.conf file from at least a year ago. For some reason Gentoo decided to pull most of the real functionality out of the default config.
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
lupine313 n00b
Joined: 12 Nov 2003 Posts: 35
|
Posted: Tue Mar 30, 2004 1:57 am Post subject: |
|
|
im having this same exact problem but with iptables..all my firewall alerts logged from iptables are porperly being sent to their own log file BUT they are also still being sent to /var/log/messages and I don't want that...how do I filter them out?? thanks.
~jeff~ |
|
Back to top |
|
|
sapphirecat Guru
Joined: 15 Jan 2003 Posts: 376
|
Posted: Tue Mar 30, 2004 4:28 pm Post subject: |
|
|
lupine313 wrote: | im having this same exact problem but with iptables..all my firewall alerts logged from iptables are porperly being sent to their own log file BUT they are also still being sent to /var/log/messages and I don't want that...how do I filter them out?? |
I split out the kernel from the rest of the logs, like so:
Code: | ### Kernel logs
source s_kmsg { pipe("/proc/kmsg"); };
# FIXME: is there a better/faster way to do this?
filter f_iptables { match(IN=.*OUT=); };
log { source(s_kmsg); filter(f_iptables); destination(d_iptables); destination(d_console); };
log { source(s_kmsg); destination(d_kmsg); flags(fallback); }; |
Then I can use flags(fallback) which makes every message from the source which wasn't matched elsewhere go to that destination. _________________ Former Gentoo user; switched to Kubuntu 7.04 when I got sick of waiting on gcc. Chance of thread necro if you reply now approaching 100%... |
|
Back to top |
|
|
sapphirecat Guru
Joined: 15 Jan 2003 Posts: 376
|
Posted: Tue Mar 30, 2004 4:31 pm Post subject: |
|
|
Accipiter wrote: | Code: | destination messages { file("/var/log/messages"); };
destination console_all { file("/dev/tty12"); };
destination imapd { file("/var/log/imapd.log"); };
filter f_imapd { program(imapd); };
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
log { source(src); filter(f_imapd); destination(imapd); }; |
This does not, however, remove the lines I'm trying to shunt off from /var/log/messages; they still appear there, but the trick is I want them ONLY in /var/log/imapd.log. What am I missing? |
I don't know the official way to do it, but I'd use something like:
Code: | filter fnot_imapd { not filter(f_imapd); };
log { source(src); filter(fnot_imapd); destination(messages); }; |
_________________ Former Gentoo user; switched to Kubuntu 7.04 when I got sick of waiting on gcc. Chance of thread necro if you reply now approaching 100%... |
|
Back to top |
|
|
|