我的防火墙日志被写入到我的自定义iptables.log文件中,但也被写入到kern.log , messages和syslog 。 我不希望这些消息在所有这些日志中重复。
我的configuration有什么问题?
$ cat /etc/rsyslog.d/iptables.conf # This works, and the messages do get to iptables.log. :msg, regex, "^\[ *[0-9]*\.[0-9]*\] IPT" -/var/log/iptables.log & ~
在/etc/rsyslog.conf ,在标准日志文件的行之前调用$IncludeConfig /etc/rsyslog.d/*.conf :
$ cat /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $WorkDirectory /var/spool/rsyslog $IncludeConfig /etc/rsyslog.d/*.conf auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages *.emerg :omusrmsg:* daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole
这是在Debian Wheezy(7.9)系统上,rsyslog版本为5.8.11-3 + deb7u2
您的$IncludeConfig /etc/rsyslog.d/*.conf高于其他日志,所以您只需停止在iptables.conf中处理行。 & ~已经说了“停止处理”,但是在一些系统上,我发现你需要stop来。 只有stop似乎在手册中