CentOS 7.9, latest kernel, latest micro updates. The console log level is set to "debug" (7) to see all messages I can get. Suddenly:

grep "journal: Suppressed" messages | less

shows messages like

Jul 22 17:35:21  journal: Suppressed 603 messages from /

To make these visible I tried:

# vi /etc/systemd/journald.conf

RateLimitInterval=30s
RateLimitBurst=5000

# systemctl restart systemd-journald
# systemctl daemon-reload

However, then this happens:

Jul 22 18:27:01 .. rsyslogd: imjournal: begin to drop messages due to rate-limiting
Jul 22 18:27:46 .. rsyslogd: imjournal: 651 messages lost due to rate-limiting

etc. I tried to make these visible with

# vi /etc/rsyslog.conf

$imjournalRatelimitInterval 30
$imjournalRatelimitBurst 5000

systemctl restart rsyslog

After the changes, neither the "Suppressed" messages are logged, nor the imjournal messages. Actually, now /var/log/messages looks perfectly alright as if no issues exist on the server. But as the server previously suddenly without obvious reason crashed, I am sure something is wrong. Why is nothing logged? The intention was to find out what is causing these "/" sourced "messages", what are these and how can I see what should actually be reported?

I'm on a Debian 11 server and my audit logs are going into /var/log/audit/audit.log as well as in /var/log/auth.log. They are filling up my auth.log and they really should not be going there. Below are the relevant portion of my configs: /etc/rsyslog.conf kern.debug /var/log/kern.log daemon.* /var/log/daemon.log *.info;cron,auth,authpriv.none /var/log/syslog cron.* /var/log/cron.log user.* /var/log/user.log auth,authpriv.* /var/log/auth.log /etc/audit/auditd.conf log_file = /var/log/audit.log I'm at a bit of a loss here as to what to do. How do I get my audit logs to send to /var/log/audit/audit.log only?

I'm using a VM. Ubuntu Linux. What I'm trying to do is use System logger to record the local3 facility with all severity levels to a file /var/log/local3.log I'm confused as to what the process is. Am I just supposed to edit /etc/rsyslog.conf with something along the lines of: local3.* /var/log/local3.log or do I use the logger command? Or both? I also want to add a logrotate afterwards so that it rotates weekly, keeping 8 weeks worth of log files.

I tried

# cat /etc/rsyslog.d/foo.sh 
:msg, contains, "foo" /var/log/foo.log
# systemctl restart rsyslog
# logger -t foo -p local0.info foo

But nothing appears in /var/log/foo.log. Even if I touch foo.log and "chmod 777" it, nothing appears. I've tried this on RHEL 8 and Ubuntu 25.04.

I am using CentOS 10, and I am trying to send the SSH logs to an external syslog server listening on port UDP 514. I changed the default logging facility of sshd to local2 and tested it locally and it works. root@localhost:~# cat /etc/ssh/sshd_config.d/50-redhat.conf SyslogFacility LOCAL2 Local2 logs to /var/log/test.log: local2.* /var/log/test.log The logs are written correctly: root@localhost:~# cat /var/log/test.log Jun 27 00:07:15 localhost sshd-session: Failed password for juanb from 10.211.1.2 port 57465 ssh2 Jun 27 00:07:15 localhost sshd-session: Failed password for juanb from 10.211.1.2 port 57465 ssh2 However, after testing that the change of facilities works, I tried to configure rsyslog so all messages from facility LOCAL2 are sent to the external syslog server: #Log SSH login messages to external syslog server local2.* action(type="omfwd" queue.type="LinkedList" queue.filename="ssh_fwd" action.resumeRetryCount="-1" queue.saveonshutdown="on" Target="10.211.1.2" Port="514" Protocol="udp" ) I added this at the end of /etc/rsyslog.conf but is not working.

I'm using python logging library to write to log file. Currently It write to a static file, and contain:

myapp; 2025-06-25 05:44:38 INFO builtins  Hello world

I'm new to rsyslog. How to set rsyslog templates to: 1. Extract the value of first word before first semi-colon and use it as 'key' 2. Write to local log file with the name of key.log (i.e: myapp.log) 3. And when writing, only start from the timestamp to the rest. tried

template(name="debug_format" type="string" string="rawmsg=%rawmsg%, key=%$.key%, msg=%$.msg%\n")

action(type="omfile" file="/home/bino/Documents/playsyslog/debug.log" template="debug_format")

set $.key = field($rawmsg, 1, ";");
set $.key = replace($$.key, "", "");

set $.msg = field($rawmsg, 2, ";");

action(type="omfile" file="/dev/null")

But debug.log only contain

rawmsg=myapp; 2025-06-25 07:40:39 INFO builtins  hello world 1750837239.561345, key=, msg=

empty key and msg ----------Edit------ After i make another observasion with running rsyslogd in debug mode, found that the raw msg received by rsyslog is

9319.712852011:main Q:Reg/w0  : ruleset.c: processBATCH: next msg 0: KEYFIELD; 2025-07-01 00:21:59 INFO to_sock handle Hello there 1751329319.712039

So adapting the help by @meuh at https://unix.stackexchange.com/a/797500/480724 both the 'key' 'part' got

'***FIELD NOT FOUND***'

Trying to froward following logs from /home/ddlog/ms/logs/execution_logs/_abc-xyz-ms_* to VMware vRealize Log Insight using rsyslog. For some reason that does not seem to be working. I have tried using imfile - # Now load the external log $InputFileName /home/ddlog/ms/logs/execution_logs/_abc-xyz-ms_* $InputFileTag ddlog $InputFileStateFile ms $InputFileSeverity debug $InputFileFacility local7 $InputRunFileMonitor local7.* @@hostname:514 Commenting out the imfile and updating the rsyslog.conf with the *.* @@remote-host:514 seems to work perfectly fine but I am more concerned about forwarding specific logs.

I'm running an Ubuntu based distro Linux version 4.1.18-ipipe (ubuntu1604@ubuntu1604) (gcc version 4.9.3 (Ubuntu/Linaro 4.9.3-13ubuntu2) When this system boots up, rsyslogd is not running. So any C programs that call syslog(...) do not report any information. The simple fix to this is to SSH into the system and issue an rsyslogd on the terminal. Is there a standard way to have this utility start up automatically?

I'm trying to discard any "kernel: nfs: Deprecated parameter 'intr'" messages from /var/log/messages Rsyslog version: 8.1911.0-6.el8 In my /etc/rsyslog.conf file I have the following: module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. module(load="imjournal" # provides access to the systemd journal StateFile="imjournal.state") # File to store the position in the journal global(workDirectory="/var/lib/rsyslog") module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") include(file="/etc/rsyslog.d/*.conf" mode="optional") :msg, contains, "nfs: Deprecated parameter" stop *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log The line that should discard the messages is:

:msg, contains, "nfs: Deprecated parameter"  stop

I still see that the messages getting logged. Any ideas? PS., I do have additional conf files in /etc/rsyslog.d/ if that matters.

A month ago I set cron to log to /var/log/cron.log by modifying /etc/rsyslog.d/50-default.conf. Logging worked great until I changed permissions on /var/log (by easing permission restrictions), and forced logrotate to rotate the logs by executing logrotate --force /etc/rsyslog.d/50-default.conf. Since then, cron seems to have stopped logging. There is no longer a /var/log/cron.log. I executed sudo touch /var/log/cron.log to create it, but it has remained 0 bytes since. More details on what I did with the permissions: I ran sudo chmod 775 /var/log, and subsequently changed permissions back with sudo chmod 755 /var/log. All other services appear to be logging correctly, and cron jobs are actually running (verified with ps aux | grep rsync, since I only run rsync via cron). I wasn't sure of the correct user and group access rights for cron.log so I tried changing it to syslog:adm like most of the other log files, but that didn't help, so I switched it back to root:root, Current permissions on cron.log: -rwxr-xr-x 1 root root 0 Apr 27 16:34 cron.log Not sure where to go from here. I know I can have cron log to any file I'd like (either by adding >> /path/to/logfile to end of cron job entries or by editing /etc/rsyslog.d/50-default.conf), but for consistency, I would prefer it continue logging to cron.log. I suppose I could add >> /var/log/cron.log to the end of each cron entry, but that seems a little hacky to me. EDIT: As per my comment below, I changed the log location to /tmp/cron.logand logging has resumed. At first, I had assumed this implied that either the folder or file permissions are wrong. However, I checked them against another machine running the same distro, and the folder permissions were correct. The file permissions were not restrictive enough, the correct permissions can be set with sudo chmod 640 cron.log. As a test, I deleted the empty cron.log, and it was never recreated. I modified the rsyslogd config to have it log to crond.log, but the file was never created.

rsyslogd is acting strangely and I don't know why. Sometimes it writes messages to the relevant log files immediately; sometimes it treasures them up in a buffer somewhere and writes them some time later. At first I assumed this had something to do with "file syncing", i.e. with the $ActionFileEnableSync option in the global rsyslog config file, or with leading hyphens on individual logfile specifiers. But changing those options doesn't seem to have any effect, and I'm starting to doubt that's the issue, anyway. What I mean by "sometimes it writes immediately" is that it literally cycles into and out of this mode, with a period which is on the order of minutes. For example, just now, with a loop like while sleep 1; do logger hello world date; done running to keep the log messages flowing, I observe that for 30 seconds the messages show up in /var/log/messages immediately, then for 134 seconds no messages appear, then all the missing messages show up at once and for 30 more seconds messages appear in real time, followed by another 134-second blackout, etc. Last week, when I first started investigating this, I sometimes observed that the periods of real-time logging lasted for 60 seconds, not 30. I haven't tried to determine whether the timing is in any way based on the volume of data logged, although that's an obvious question. As I said, at first I assumed that setting $ActionFileEnableSync would help, but (a) it didn't, and (b) [the documentation](https://www.rsyslog.com/doc/configuration/modules/omfile.html) says that this option is dangerous and a performance killer and shouldn't be used unless you really know what you're doing, and (c) I can't imagine that the cycling I'm seeing, between instantaneous versus buffered logging, is normal or expected or desirable anyway, in any mode. This is happening under Ubuntu 22.04.1, rsyslogd version 8.2112.0. Also, it's an AWS abstract machine instance, which I suppose might have something to do with this. And, anyway, my question is, how can I make this stop? I need real-time or near real-time logging; I can't wait for a couple of minutes to see whether a log message appeared or not.

Today, while trying to debug some rsyslog issues, I changed the rsyslog configuration files and then ran systemctl restart rsyslog A sytemctl status showed that rsyslog was running, but its log files were not being written. I then invoked systemctl stop rsyslog systemctl start rsyslog At this point rsyslog's log files began growing. I thought this might have been a fluke, but I repeated the process with the same results. I assume that restart should have been the same as stop + start. Does this sound like a bug in systemd, or in the rsyslog service?

I am running a Centos7 server with rsyslog for logging. The service is on (sudo systemctl is-enabled rsyslog) outputs "enabled". I have also configured the service to start at boot-time. However, the /var/log/secure file is still empty despite deliberate attempts to fail SSH login. The other log files (mailer, spool, cron except messages) are all also empty. Where am I going wrong in this? Any help is welcome. **Update:** Output of ls -ld /var/log: drwxr-xr-x. 11 root root 4096 Mar 4 11:06 /var/log and output of ls -l /var/log: `drwxr-xr-x. 2 root root 6 Oct 7 17:53 anaconda drwxr-x---. 2 root root 94 Mar 4 13:39 audit -rw-r--r--. 1 root root 549 Nov 30 16:33 boot.log -rw-------. 1 root utmp 0 Mar 1 03:13 btmp -rw-------. 1 root utmp 1920 Feb 11 15:25 btmp-20160301 drwxr-xr-x. 2 chrony chrony 6 Nov 24 03:05 chrony -rw-r--r--. 1 root root 14056 Nov 30 16:33 cloud-init.log -rw-r--r--. 1 root root 34623 Mar 4 10:19 cloud-init-output.log -rw-r--r--. 1 root root 0 Feb 28 03:40 cron -rw-r--r--. 1 root root 0 Feb 1 03:09 cron-20160207 -rw-r--r--. 1 root root 0 Feb 7 03:09 cron-20160214 -rw-r--r--. 1 root root 8948 Feb 18 21:01 cron-20160223 -rw-r--r--. 1 root root 0 Feb 23 12:41 cron-20160228 -rw-r--r--. 1 root root 35746 Mar 4 10:19 dmesg -rw-r--r--. 1 root root 35859 Mar 3 11:48 dmesg.old -rw-------. 1 root root 1948 Dec 29 12:08 grubby drwx------. 2 root root 4096 Mar 1 20:14 httpd -rw-r--r--. 1 root root 292876 Mar 4 15:59 lastlog -rw-------. 1 root root 0 Feb 28 03:40 maillog -rw-------. 1 root root 0 Feb 1 03:09 maillog-20160207 -rw-------. 1 root root 0 Feb 7 03:09 maillog-20160214 -rw-------. 1 root root 3583 Feb 18 19:07 maillog-20160223 -rw-------. 1 root root 0 Feb 23 12:41 maillog-20160228 -rw-------. 1 root root 120630 Mar 4 10:49 messages -rw-------. 1 root root 0 Feb 1 03:09 messages-20160207 -rw-------. 1 root root 0 Feb 7 03:09 messages-20160214 -rw-------. 1 root root 42189 Feb 18 21:03 messages-20160223 -rw-------. 1 root root 0 Feb 23 12:41 messages-20160228 drwxr-xr-x. 2 ntp ntp 6 Jan 25 19:57 ntpstats drwx------. 2 root root 6 Jun 10 2014 ppp drwxrwxrwx. 3 root root 25 Nov 30 16:55 rsyslog_custom -rw-------. 1 root root 0 Feb 28 03:40 secure -rw-------. 1 root root 0 Feb 1 03:09 secure-20160207 -rw-------. 1 root root 0 Feb 7 03:09 secure-20160214 -rw-------. 1 root root 17991 Feb 18 20:20 secure-20160223 -rw-------. 1 root root 0 Feb 23 12:41 secure-20160228 -rw-------. 1 root root 0 Feb 28 03:40 spooler -rw-------. 1 root root 0 Feb 1 03:09 spooler-20160207 -rw-------. 1 root root 0 Feb 7 03:09 spooler-20160214 -rw-------. 1 root root 0 Feb 14 03:34 spooler-20160223 -rw-------. 1 root root 0 Feb 23 12:41 spooler-20160228 -rw-------. 1 root root 0 Oct 7 17:43 tallylog drwxr-xr-x. 2 root root 22 Dec 9 18:55 tuned -rw-rw-r--. 1 root utmp 241152 Mar 4 15:59 wtmp -rw-------. 1 root root 1926 Mar 4 13:20 yum.log -rw-------. 1 root root 13145 Dec 29 16:02 yum.log-20160101`

Can anyone help? I've exhausted my knowledge and troubleshooting skills trying to get this working. Here is the example data from "msg":

date=2025-03-26 time=12:45:57 devname="this-is-the-host" devid="CD188764823423" eventtime=1742993157871312130 tz="+0000" logid="0001000014" type="traffic" subtype="local" level="notice"

... and here is the code I was hoping would capture the value "this-is-the-host" into the variable I named dname:

set $.dname = tolower(re_extract($msg, 'devname=\"(.*)\" devid=', 0, 1, "failed"));

Is there an easier way, maybe using the split function? I'd appreciate your thoughts.

# Short Version: I want to stop the following message from appearing in my syslog. They pertain to a USB port on my keyboard that can be ignored: Feb 9 23:33:45 sunfire kernel: [ 8163.156041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci I have edited /etc/rsyslog.d/50-default.conf and added a filter: :msg, contains, "3-6.2.4: reset full" and when I restarted the service: /etc/init.d/rsyslog restart it resulted in: Feb 10 00:23:57 sunfire rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="754" x-info="http://www.rsyslog.com "] exiting on signal 15. Feb 10 00:23:57 sunfire rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="3982" x-info="http://www.rsyslog.com "] start Feb 10 00:23:57 sunfire rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ] Feb 10 00:23:57 sunfire rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or before line 62: syntax error on token '' [v8.16.0 try http://www.rsyslog.com/e/2207 ] Feb 10 00:23:57 sunfire rsyslogd-2207: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [v8.16.0 try http://www.rsyslog.com/e/2207 ] Feb 10 00:23:57 sunfire rsyslogd: rsyslogd's groupid changed to 109 Feb 10 00:23:57 sunfire rsyslogd: rsyslogd's userid changed to 105 Feb 10 00:23:57 sunfire systemd[1] : Stopping System Logging Service... Feb 10 00:23:57 sunfire systemd[1] : Stopped System Logging Service. Feb 10 00:23:57 sunfire systemd[1] : Starting System Logging Service... Feb 10 00:23:57 sunfire systemd[1] : Started System Logging Service. Feb 10 00:23:57 sunfire rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ] Feb 10 00:23:57 sunfire rsyslogd-2007: action 'action 10' suspended, next retry is Wed Feb 10 00:24:27 2016 [v8.16.0 try http://www.rsyslog.com/e/2007 ] Feb 10 00:25:49 sunfire kernel: [11287.416037] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci and obviously didn't stop the logging I want to stop. Before I started messing with this too much, I thought I would try and get some help. Thanks. # Long Version: I have a keyboard that when plugged into any of my boxes (mostly running various iterations of Ubuntu all over 14.04 LTS, Raspian, OSX and FreeBSD), reports errors in the syslog. The error in particular is: Feb 9 23:33:45 sunfire kernel: [ 8163.156041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:33:49 sunfire kernel: [ 8166.828038] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:33:55 sunfire kernel: [ 8172.804042] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:34:00 sunfire kernel: [ 8178.172050] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:34:23 sunfire kernel: [ 8201.524041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:35:19 sunfire kernel: [ 8257.340041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:35:32 sunfire kernel: [ 8270.244043] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:35:50 sunfire kernel: [ 8287.876038] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci (I've only included so many to show how frequent and consistent they are). I've been searching for a way to have the system "disregard" this type of report basically because I am not concerned with it. The reason being, this is a keyboard that has two USB ports on it and I have never connected anything to it (especially on this box. I have connected a mouse when used with my main box). Most of the answers I have found pertain to filtering the output generally in searches, or particular applications or developer scenarios. I have found this question/answer (Disable logging to syslog ), but the configuration on my (Ubuntu) system points to further config files located in /etc/rsyslog.d/ and neither of the files there have anything that remotely suggests (to me) how to disregard something. That did lead me down further search routes to (Preventing output to /var/log/syslog ) and on to http://www.rsyslog.com/ (particularly Filters ) but as soon as I started playing with that I got an error about an invalid config and obviously didn't cull my unwanted message (above "short" section). Considering it appears that rsyslog was stopped (pid: 754) then I have attacked the right system, but I have done so wrongly. Any help would be appreciated. **A final addition:** When reverting back to the default setting and restarting, 3 of the 5 config errors persisted, which would lead me to believe they are unrelated. ie, These persisted: Feb 10 00:48:12 sunfire rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ] Feb 10 00:48:12 sunfire rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ] Feb 10 00:48:12 sunfire rsyslogd-2007: action 'action 10' suspended, next retry is Wed Feb 10 00:48:42 2016 [v8.16.0 try http://www.rsyslog.com/e/2007 ] and these (expectantly) were no longer present: Feb 10 00:23:57 sunfire rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or before line 62: syntax error on token '' [v8.16.0 try http://www.rsyslog.com/e/2207 ] Feb 10 00:23:57 sunfire rsyslogd-2207: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [v8.16.0 try http://www.rsyslog.com/e/2207 ]

This is a fresh Debian 10 installation that's two-three weeks old. For the last couple of days, my system has been acting up, it would just slow down and I would not be able to use sudo in the terminal as it won't prompt for authentication. When I check CPU usage using htop, it shows that systemd-journald is using quite a lot of CPU, more than 100%. One time there was two or three processes/thread of rsyslogd using around 50% CPU each. I haven't seen rsyslogd using that much CPU after that. Since I could not use sudo, I wasn't able to check the logs, but today I found out that I could just su and become root while sudo wasn't working and I checked the logs. The following is an excerpt from journalctl: Aug 25 22:27:34 asgard systemd-journald: Missed 51 kernel messages Aug 25 22:27:34 asgard kernel: wlp0s20f3: Failed check-sdata-in-driver check, flags: 0x4 Aug 25 22:27:34 asgard kernel: WARNING: CPU: 0 PID: 2221 at net/mac80211/driver-ops.h:19 drv_sta_state+0x265/0x3e0 [mac80211] Aug 25 22:27:34 asgard systemd-journald: Missed 56 kernel messages Aug 25 22:27:34 asgard kernel: drbg ansi_cprng cfg80211 dell_rbtn processor_thermal_device iTCO_vendor_support irqbypass intel_soc_dts_iosf ecdh_generic sg joydev dell_laptop hid_multitouch idma64 crct10dif_pclmul crc32_pclmul int3403_thermal rfkill int3400_thermal int340x_thermal_zone wmi_bmof dell_smo8800 dell_wmi intel_hid pcc_cpufreq dell_smbios dell_smm_hwmon dcdbas intel_pch_thermal ucsi_acpi typec_ucsi dell_wmi_descriptor typec acpi_thermal_rel evdev sparse_keymap pcspkr serio_raw ghash_clmulni_intel acpi_tad acpi_pad ac intel_cstate intel_uncore xt_conntrack nft_compat intel_rapl_perf efi_pstore efivars battery nft_counter nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink efivarfs ip_tables x_tables autofs4 ext4 And the following part from journalctl is all over the log: Aug 25 22:27:34 asgard systemd-journald: Missed 55 kernel messages Aug 25 22:27:34 asgard kernel: crc16 mbcache jbd2 fscrypto ecb btrfs xor zstd_decompress zstd_compress xxhash raid6_pq libcrc32c crc32c_generic sd_mod hid_generic crc32c_intel i2c_designware_platform i2c_designware_core i915 psmouse aesni_intel xhci_pci aes_x86_64 crypto_simd xhci_hcd cryptd glue_helper i2c_i801 ahci libahci libata i2c_algo_bit usbcore r8169 drm_kms_helper realtek sdhci_pci libphy cqhci scsi_mod sdhci drm mmc_core intel_lpss_pci intel_lpss mfd_core usb_common i2c_hid hid wmi video button From dmesg: [ 2420.057787] wlp0s20f3: Failed check-sdata-in-driver check, flags: 0x4 [ 2420.057800] Modules linked in: uinput cmac rfcomm bnep ctr ccm fuse binfmt_misc nf_log_ipv6 ip6t_REJECT nf_reject_ipv6 nls_ascii snd_soc_skl nls_cp437 vfat fat xt_hl ip6_tables ip6t_rt snd_hda_codec_hdmi snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi nf_log_ipv4 snd_hda_codec_realtek nf_log_common snd_soc_core snd_hda_codec_generic ipt_REJECT nf_reject_ipv4 snd_compress xt_LOG snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm uvcvideo intel_rapl snd_timer snd x86_pkg_temp_thermal intel_powerclamp nft_limit coretemp videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common kvm_intel videodev iTCO_wdt soundcore xt_limit arc4 media iwlmvm mac80211 btusb btrtl btbcm btintel bluetooth xt_addrtype kvm iwlwifi xt_tcpudp mei_me mei [ 2420.057845] RSP: 0018:ffffbfd40269f9b0 EFLAGS: 00010282 [ 2420.057850] FS: 0000000000000000(0000) GS:ffff9f0f26200000(0000) knlGS:0000000000000000 [ 2420.057879] __sta_info_flush+0x15e/0x1c0 [mac80211] [ 2420.057892] ieee80211_set_disassoc+0xbe/0x550 [mac80211] [ 2420.057903] ieee80211_mgd_deauth.cold.57+0x47/0x1b5 [mac80211] [ 2420.057914] cfg80211_mlme_deauth+0xb3/0x1d0 [cfg80211] [ 2420.057926] cfg80211_mlme_down+0x66/0x90 [cfg80211] [ 2420.057937] cfg80211_disconnect+0x128/0x1e0 [cfg80211] [ 2420.057946] cfg80211_leave+0x26/0x40 [cfg80211] [ 2420.057954] cfg80211_netdev_notifier_call+0xcd/0x600 [cfg80211] [ 2420.057956] ? syscall_return_via_sysret+0x14/0x83 [ 2420.057957] ? ret_from_fork+0x1a/0x40 [ 2420.057970] ? ieee80211_reconfig+0xd5/0x1420 [mac80211] [ 2420.057984] ? report_bug+0xb0/0xd0 [ 2420.057985] ? inetdev_event+0x46/0x580 [ 2420.057988] notifier_call_chain+0x47/0x70 [ 2420.057992] dev_close_many+0x9f/0x160 [ 2420.058002] cfg80211_shutdown_all_interfaces+0x6d/0xc0 [cfg80211] [ 2420.058015] ? rcu_exp_wait_wake+0x250/0x250 [ 2420.058016] ? try_to_del_timer_sync+0x4d/0x80 [ 2420.058028] process_one_work+0x1a7/0x3a0 [ 2420.058030] worker_thread+0x30/0x390 [ 2420.058031] ? create_worker+0x1a0/0x1a0 [ 2420.058035] ? kthread_bind+0x30/0x30 [ 2420.058043] ------------[ cut here ]------------ [ 2420.058056] Modules linked in: uinput cmac rfcomm bnep ctr ccm fuse binfmt_misc nf_log_ipv6 ip6t_REJECT nf_reject_ipv6 nls_ascii snd_soc_skl nls_cp437 vfat fat xt_hl ip6_tables ip6t_rt snd_hda_codec_hdmi snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi nf_log_ipv4 snd_hda_codec_realtek nf_log_common snd_soc_core snd_hda_codec_generic ipt_REJECT nf_reject_ipv4 snd_compress xt_LOG snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm uvcvideo intel_rapl snd_timer snd x86_pkg_temp_thermal intel_powerclamp nft_limit coretemp videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common kvm_intel videodev iTCO_wdt soundcore xt_limit arc4 media iwlmvm mac80211 btusb btrtl btbcm btintel bluetooth xt_addrtype kvm iwlwifi xt_tcpudp mei_me mei [ 2420.058101] RSP: 0018:ffffbfd40269f9b0 EFLAGS: 00010282 [ 2420.058107] FS: 0000000000000000(0000) GS:ffff9f0f26200000(0000) knlGS:0000000000000000 [ 2420.058136] __sta_info_flush+0x15e/0x1c0 [mac80211] [ 2420.058147] ieee80211_set_disassoc+0xbe/0x550 [mac80211] [ 2420.058159] ieee80211_mgd_deauth.cold.57+0x47/0x1b5 [mac80211] [ 2420.058170] cfg80211_mlme_deauth+0xb3/0x1d0 [cfg80211] [ 2420.058181] cfg80211_mlme_down+0x66/0x90 [cfg80211] [ 2420.058193] cfg80211_disconnect+0x128/0x1e0 [cfg80211] [ 2420.058202] cfg80211_leave+0x26/0x40 [cfg80211] [ 2420.058210] cfg80211_netdev_notifier_call+0xcd/0x600 [cfg80211] [ 2420.058212] ? syscall_return_via_sysret+0x14/0x83 [ 2420.058213] ? ret_from_fork+0x1a/0x40 [ 2420.058238] ? ieee80211_reconfig+0xd5/0x1420 [mac80211] [ 2420.058240] ? report_bug+0xb0/0xd0 [ 2420.058241] ? inetdev_event+0x46/0x580 [ 2420.058245] notifier_call_chain+0x47/0x70 [ 2420.058248] dev_close_many+0x9f/0x160 [ 2420.058269] ieee80211_reconfig+0xa3/0x1420 [mac80211] [ 2420.058271] ? rcu_exp_wait_wake+0x250/0x250 [ 2420.058272] ? try_to_del_timer_sync+0x4d/0x80 [ 2420.058285] worker_thread+0x30/0x390 [ 2420.058288] kthread+0x112/0x130 [ 2420.058291] ret_from_fork+0x1f/0x40 [ 2420.058298] ------------[ cut here ]------------ Similar to journalctl messages, the above logs from dmesg were also repeated endlessly in the dmesg. (I think these dmesg logs were displayed as I tried to shutdown the system when the system hangs, but I couldn't make sure as the messages were rapidly moving.) I thing the slow down is caused by excessive logging as /var/log/kern.log, /var/log/messages and /var/log/syslog are about 23GB each. I am not sure what causes this much errors/logs, but I suspect it's the wi-fi of the laptop. The WiFi chip is an Intel® Wireless-AC 9560 and I have been having some connection issues with wifi. (The wifi would disconnect all of a sudden and the network manager would show device is not ready. When I reboot, the wifi option is gone from Network manager. This has occurred twice and toggling the Secure Boot in UEFI to OFF/ON would fix it.) I didn't notice any trouble with wifi when the system became slow. - Here's another related question from Askubuntu: https://askubuntu.com/questions/1251908/syslog-and-kern-log-keeps-filling-up-and-network-stops-working - A bug report from Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1851185 - An Ubuntu Bug report: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1882419/comments/12 - Bug report from Linux Kernal: https://bugzilla.kernel.org/show_bug.cgi?id=98321 What exactly is happening here and how do I fix this?

So I've got three files I need rsyslog to open in order to forward the entries to another server. SELinux is preventing this with the following error: type=AVC msg=audit(1371186588.768:1324460): avc: denied { open } for pid=3714 comm="rsyslogd" name="named.debug.log" dev=dm-0 ino=1180551 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:named_cache_t:s0 tclass=file type=SYSCALL msg=audit(1371186588.768:1324460): arch=c000003e syscall=2 success=no exit=-13 a0=7fb254001b30 a1=80100 a2=180 a3=2e67756265642e64 items=0 ppid=1 pid=3714 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7926 comm="rsyslogd" exe="/sbin/rsyslogd" subj=unconfined_u:system_r:syslogd_t:s0 key=(null) Running this through audit2allow, I get the following: module rsysloglocal 1.0; require { type named_cache_t; type syslogd_t; class file { read write }; } #============= syslogd_t ============== allow syslogd_t named_cache_t:file { read write }; Unfortunately, this doesn't work. I'm still getting the message above from SELinux. The files I need to watch with rsyslog are in /var/named/data/log/, which is why SELinux is referencing the named_cache_t thing (I think). Any thoughts? Edit: semodule -l output: abrt 1.2.0 accountsd 1.0.0 ada 1.4.0 afs 1.5.3 aiccu 1.0.0 aide 1.5.0 aisexec 1.0.0 amanda 1.12.0 amavis 1.10.3 amtu 1.2.0 apache 2.1.2 apcupsd 1.6.1 arpwatch 1.8.1 asterisk 1.7.1 audioentropy 1.6.0 automount 1.12.1 avahi 1.11.2 awstats 1.2.0 bind 1.10.2 bitlbee 1.2.1 bluetooth 3.2.2 boinc 1.0.0 bugzilla 1.0 cachefilesd 1.0.17 calamaris 1.5.1 canna 1.10.0 ccs 1.4.1 cdrecord 2.2.1 certmaster 1.0.2 certmonger 1.0.0 certwatch 1.5.0 cfengine 1.0.0 cgroup 1.0.0 chrome 1.0.0 chronyd 1.0.1 cipe 1.5.0 clamav 1.7.1 clogd 1.0.0 cloudform 1.0 cmirrord 1.0.0 cobbler 1.1.0 comsat 1.7.0 condor 1.0.0 consolekit 1.5.1 corosync 1.0.0 courier 1.8.1 cpufreqselector 1.1.0 ctdbd 1.0.0 cups 1.13.0 cvs 1.8.0 cyphesis 1.2.0 cyrus 1.9.1 daemontools 1.2.0 dbskk 1.5.0 dcc 1.8.2 denyhosts 1.0.0 devicekit 1.0.0 dhcp 1.8.1 dictd 1.7.0 dirsrv-admin 1.0.0 dirsrv 1.0.0 dnsmasq 1.8.1 dovecot 1.11.1 drbd 1.0.0 ethereal 2.0.0 execmem 1.0.0 exim 1.4.2 fail2ban 1.3.2 fcoemon 1.0.0 fetchmail 1.9.2 finger 1.9.0 firewallgui 1.0.0 fprintd 1.0.1 ftp 1.11.0 games 2.1.0 git 1.0.3 gitosis 1.0.1 glance 1.0.0 gnome 2.0.0 gnomeclock 1.0.0 gpg 2.2.1 gpm 1.7.1 gpsd 1.0.2 guest 1.0.1 hal 1.12.1 hddtemp 1.0.0 howl 1.8.1 icecast 1.0.0 inn 1.9.0 ipsec 1.10.2 irc 2.1.0 iscsi 1.6.2 jabber 1.8.0 java 2.2.1 kdump 1.0.1 kdumpgui 1.0.0 kerberos 1.10.2 kerneloops 1.3.1 keystone 1.0.0 kismet 1.4.2 ksmtuned 1.0.0 ktalk 1.7.1 ldap 1.10.0 likewise 1.0.0 lircd 1.0.1 livecd 1.0.0 lldpad 1.0.0 lockdev 1.3.0 logadm 1.0.0 lpd 1.12.0 mailman 1.7.2 matahari 1.0.0 mediawiki 1.0.0 memcached 1.1.2 milter 1.1.1 modemmanager 1.0.1 mono 1.6.1 mozilla 2.1.1 mpd 1.0.0 mplayer 2.1.0 mrtg 1.8.0 munin 1.7.0 mysql 1.11.3 nagios 1.8.0 namespace 1.0.0 ncftool 1.0.0 netlabel 1.3.0 nis 1.10.0 nova 1.0.0 nslcd 1.0.1 nsplugin 1.0.0 ntop 1.8.1 ntp 1.9.1 nut 1.0.1 nx 1.4.0 oddjob 1.7.0 openct 1.4.0 openoffice 1.0.0 openvpn 1.9.1 pads 1.0.0 passenger 1.0.0 pcscd 1.5.2 pegasus 1.8.0 permissivedomains 1.0.0 pingd 1.0.0 piranha 1.0.0 plymouthd 1.0.0 podsleuth 1.2.1 policykit 1.1.0 portmap 1.9.0 portreserve 1.1.1 postfix 1.11.0 postgresql 1.12.1 postgrey 1.7.0 ppp 1.11.2 prelude 1.1.2 privoxy 1.9.1 procmail 1.11.0 psad 1.0.0 ptchown 1.0.1 publicfile 1.1.0 pulseaudio 1.1.2 puppet 1.0.0 pyzor 2.1.0 qemu 1.3.2 qmail 1.5.0 qpidd 1.0.0 quantum 1.0.0 radius 1.11.0 radvd 1.11.2 razor 2.1.0 rdisc 1.7.1 remotelogin 1.7.0 rgmanager 1.0.0 rhcs 1.1.0 rhev 1.0 rhgb 1.9.0 rhsmcertd 1.0.0 ricci 1.6.0 rlogin 1.9.0 roundup 1.7.0 rpcbind 1.4.1 rshd 1.7.0 rssh 2.0.0 rsync 1.9.1 rsysloglocal 1.0 rtkit 1.0.1 rwho 1.6.0 samba 1.12.0 sambagui 1.0.0 sandbox 1.0.0 sanlock 1.0.0 sasl 1.12.1 sblim 1.0.0 screen 2.2.2 sectoolm 1.0.0 seunshare 1.1.0 sge 1.0.0 shutdown 1.0.0 slocate 1.9.0 smartmon 1.9.1 smokeping 1.0.0 smoltclient 1.0.0 snmp 1.10.2 snort 1.8.1 sosreport 1.0.0 soundserver 1.8.0 spamassassin 2.2.0 squid 1.9.0 sssd 1.0.2 staff 2.0.1 stunnel 1.9.0 sysadm_secadm 1.0.0 sysstat 1.5.1 tcpd 1.4.0 telepathy 1.0.0 telnet 1.9.1 tftp 1.12.0 tgtd 1.0.1 tmpreaper 1.4.0 tor 1.6.1 tuned 1.0.1 tvtime 2.0.0 ulogd 1.1.0 uml 2.1.0 unconfined 3.1.1 unconfineduser 1.0.0 unlabelednet 1.0 unprivuser 2.0.1 usbmodules 1.2.0 usbmuxd 1.0.0 userhelper 1.5.0 usernetctl 1.5.0 uucp 1.10.2 uuidd 1.0.0 varnishd 1.1.0 vdagent 1.0.0 vhostmd 1.0.0 virt 1.4.0 vmware 2.2.0 vpn 1.12.0 w3c 1.0.0 wdmd 1.0.0 webadm 1.1.0 webalizer 1.10.0 wine 1.6.1 xen 1.9.2 xfs 1.6.0 xguest 1.0.1 zabbix 1.2.0 zarafa 1.0.0 zebra 1.10.1 zosremote 1.1.0 Edit 2: I've also tried this using only read permissions (allow syslogd_t named_cache_t:file read;) rather than read / write. No dice.

I have deployed a couple of daemons on ubuntu boxes and wrapped them as systemd services. Their standard output is redirected to the journal by default which is what I was hoping for. Now, it turns out that the default configuration on ubuntu (I guess same on debian) is to make journald forward all events to /run/systemd/journal/syslog (see /etc/systemd/journald.conf: #ForwardToSyslog=yes) and have rsyslog pull data from there with the imuxsock module (see /etc/rsyslog.conf). By default, I also see that because in /etc/rsyslog.d/50-default.conf, we have this line: > *.*;auth,authpriv.none -/var/log/syslog i.e., all non-auth data ends up in /var/log/syslog Because I wanted to track the output of my services in journald, I made the journald log file persistent by creating /var/log/journal (in /etc/systemd/journald.conf, Storage's default value is auto). The result is that now all my log data is duplicated: it is stored once in journald and once in rsyslog's /var/log/syslog. So, for various reasons, I really want to keep my own service's data in journald but I really do not want to duplicate that data (there are a lot of logs !). I can see a couple of options: 1. disable rsyslog entirely. I am worried I might miss a lot of data from other services if I do this: who knows what other code in my infrastructure reads /var/log/* 2. try to disable only daemon.info because this is what appears to be the default log facility/level picked for my services. I am worried the following might make me ignore other useful messages that just happen to have the same facility/level :/ >*.*;auth,authpriv.none;daemon.!=info -/var/log/syslog 3. Change the rsyslog/journald integration to use the imjournal input module, ignore imuxsock (just like on fedora), and write rsyslog rules more specific to each of my services Now, the question is: what would be the recommended way to proceed ?

I have a lot of incoming syslog messages on my rsyslog server. It's a stormshield that sends different categories of messages (connection, web, alarm, ...) I can't configure a different facility for each category so I need to use regular expression to split incoming messages in differents files. All messages are different and have more or less fields in the message, but there is one field logtype to identify the category : Syslog message Msg = bullshitcontentbullshitcontent logtype:"connection" bullshitcontentbullshitcontent So the question is : How can I collect the string of the logtype field with a POSIX regular expression that is understandable by rsyslog and - if you know how - split in different files depending of the value of the logtype?

I have a separate file for logging local7 facility, and this file is touched and _permissions_ set, from my installer. But sometimes I see that the logs are not being written to it (after I do a re-install) until I do rsyslog restart! Is it mandatory to _restart_ rsyslog if the log file is touched by another program/application ? (since the installer is run as root, the log file's time-stamp will be changed due to touch - will this cause rsyslog to not write to the log file ?)