In most GNU/Linux distributions the default is to log start (and many different events) of every cron job to syslog. It's rather convenient, but not for a very frequent jobs, which started, say, every 1 minute. I know how to redirect all cron jobs events to a different log via /etc/rsyslog.conf (*.*;cron,auth,authpriv.none -/var/log/syslog) and it's easy to heavily restrict the logging to, say, just error events via /etc/default/cron (EXTRA_OPTS="-L 4"). But this affect all of cron jobs. What if I want to restrict the logging of *certain* cron jobs (said frequent every-1-minute jobs)? Is it possible to set this up via /etc/rsyslog.conf or in /etc/crontab itself? The system is Debian 8.0 Jessie.

I'm using a VM. Ubuntu Linux. What I'm trying to do is use System logger to record the local3 facility with all severity levels to a file /var/log/local3.log I'm confused as to what the process is. Am I just supposed to edit /etc/rsyslog.conf with something along the lines of: local3.* /var/log/local3.log or do I use the logger command? Or both? I also want to add a logrotate afterwards so that it rotates weekly, keeping 8 weeks worth of log files.

Looking at syslog files on Debian 10 form a previous session I have noticed a MAC Address change and I do not know why it is happening. Any ideas on how to stop this? Jun 8 15:43:46 NetworkManager: [1591623826.4785] manager: NetworkManager state is now CONNECTED_LOCAL Jun 8 15:43:46 NetworkManager: [1591623826.4790] device (wlp8s0): state change: unavailable -> unmanaged (reason 'sleeping', sys-iface-state: 'managed') Jun 8 15:43:46 dbus-daemon: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.11' (uid=0 pid=729 comm="/usr/sbin/NetworkManager --no-daemon ") Jun 8 15:43:46 NetworkManager: [1591623826.4793] device (wlp8s0): set-hw-addr: **reset MAC address to 68:5D:43:61:77:45** (unmanage) Jun 8 15:43:46 NetworkManager: [1591623826.4799] device (enp7s0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'managed') Jun 8 15:43:46 kernel: [15194.894941] IPv6: ADDRCONF(NETDEV_UP): enp7s0: link is not ready Jun 8 15:43:46 kernel: [15194.895237] RTL8211E Gigabit Ethernet r8169-700:00: attached PHY driver [RTL8211E Gigabit Ethernet] (mii_bus:phy_addr=r8169-700:00, irq=IGNORE) Jun 8 15:43:46 systemd: Starting Network Manager Script Dispatcher Service... Jun 8 15:43:46 dbus-daemon: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Jun 8 15:43:46 systemd: Started Network Manager Script Dispatcher Service. Jun 8 15:43:46 nm-dispatcher: req:1 'down' [enp7s0]: new request (1 scripts) Jun 8 15:43:46 nm-dispatcher: req:1 'down' [enp7s0]: start running ordered scripts... Jun 8 15:43:46 nm-dispatcher: req:2 'connectivity-change': new request (1 scripts) Jun 8 15:43:46 NetworkManager: [1591623826.6955] device (wlp8s0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'managed') Jun 8 15:43:46 kernel: [15195.108815] IPv6: ADDRCONF(NETDEV_UP): enp7s0: link is not ready Jun 8 15:43:46 kernel: [15195.110559] IPv6: ADDRCONF(NETDEV_UP): wlp8s0: link is not ready Jun 8 15:43:46 NetworkManager: [1591623826.6963] device (wlp8s0): set-hw-addr: set MAC address to **DE:5B:91:11:04:52** (scanning) Jun 8 15:43:46 nm-dispatcher: req:2 'connectivity-change': start running ordered scripts...

One of my KVM servers (2 Xeon E5-2680 v2, 1 AMD Vega 10 GPU, Ubuntu 20.04.1 LTS) became unresponsive last night. Of the 5 VMs running on the server, only one could be reached. The server itself refused SSH connections, and I could not even get a screen over HDMI. I did not see any other solution than to reset it. Having done that, I would like to better understand what was actually going on. The following journals are available on the system: # journalctl --list-boots -8 57c5ae37af1649379e82b349abb14f9d Sun 2020-05-24 20:25:57 CEST—Sun 2020-05-24 20:44:30 CEST -7 c617acfdd3854669bd114d1d033cd5a7 Sun 2020-05-24 20:45:01 CEST—Mon 2020-05-25 19:21:48 CEST -6 745df76c9d784907862118c7804a19ab Mon 2020-05-25 19:22:26 CEST—Mon 2020-05-25 19:42:17 CEST -5 9781df6fa3494c4588d0cf4a99678e84 Mon 2020-05-25 19:42:59 CEST—Thu 2020-06-04 04:53:20 CEST -4 db93d994719a4ee1ad8eb74932220898 Thu 2020-06-04 18:45:10 CEST—Thu 2020-06-04 19:16:38 CEST -3 c6007ce834bd4933805138523549677e Thu 2020-06-04 19:17:20 CEST—Thu 2020-08-20 18:35:54 CEST -2 c24b967697ce41a2ac6c1707936dc450 Thu 2020-08-20 18:36:23 CEST—Mon 2020-08-31 17:21:52 CEST -1 b1efda1e7a3b42d4ae9a20f0c3b06fcf Mon 2020-09-07 09:49:24 CEST—Mon 2020-09-07 09:59:49 CEST 0 f5de0a1534a7478e87847031156976d0 Mon 2020-09-07 10:00:19 CEST—Mon 2020-09-07 10:08:33 CEST As you may already see from the list, the last 7 days are missing, I don't actually have access to a journal leading up to the system error. Running journalctl --verify shows the following output. 1f23cc0: Invalid object File corruption detected at /var/log/journal/f9decb319623482392299509c566049a/system@0005a744de309d9e-3dfdf0e20f2b37de.journal~:1f23cc0 (of 33554432 bytes, 97%). FAIL: /var/log/journal/f9decb319623482392299509c566049a/system@0005a744de309d9e-3dfdf0e20f2b37de.journal~ (Bad message) PASS: /var/log/journal/f9decb319623482392299509c566049a/system@24f780e4155245c0a176021b285d8b61-0000000000000001-0005a744de2ec87d.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-00000000000008e3-0005a66900b2a7be.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system@24f780e4155245c0a176021b285d8b61-0000000000010c89-0005a8cfc4df2d27.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-0000000000010c88-0005a8cfc4dec165.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system@24f780e4155245c0a176021b285d8b61-000000000001b654-0005ab341293df34.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-000000000001bf95-0005ab56000dcbe1.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system@0005aeb4750f8660-d0ac81b12520109c.journal~ PASS: /var/log/journal/f9decb319623482392299509c566049a/system@cf2a7210a86040e6aa7736d9b0a88e8b-0000000000000001-0005aeb4750dab5e.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/system.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000@6da18e6709a04eb8809cb4af946ec557-00000000000269b9-0005ad9c6a92da4a.journal PASS: /var/log/journal/f9decb319623482392299509c566049a/user-1000.journal Reading through some of the obvious web search results, it seems that it is currently not possible to repair a corrupted journal, it's just gone. Frankly, I find it a bit strange when the systemd lead writes that he does not see a need for corrupt journalctl entries to be fixed but maybe it's just me. I'm really not sure what else to do. In my /var/log, I also have files called syslog but they also stop on August 31 and continue today. The same is true for kern. I looked through some other log files such as Xorg and dmesg. Honestly, I'm not even sure what to look for but nothing seems to jump at me. Xorg.log shows only one error that seems unlikely to be the culprit for my problems: [230912.637] (II) xfree86: Adding drm device (/dev/dri/card0) [230912.637] (EE) /dev/dri/card0: failed to set DRM interface version 1.4: Permission denied There seem to be no error or fail messages in dmesg. I mean, everything works currently but this error seems to repeat itself every few weeks. Which other steps can I take to get a better understanding of this issue?

I'm seeing the following error on CentOS 6.4: # puppet agent --test Run of Puppet configuration client already in progress; skipping (/var/lib/puppet/state/agent_catalog_run.lock exists) What should I do about it?

Where can I find the syslog config file under SLES 12? rsyslog and syslog-service are installed according to YaST2 and rcsyslog status outputs: ServerName:~ # rcsyslog status Usage: /sbin/rcsyslog {start|stop|status|try-restart|restart|force-reload|reload} rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Wed 2015-03-04 16:05:46 CET; 1 day 17h ago Main PID: 787 (rsyslogd) CGroup: /system.slice/rsyslog.service ââ787 /usr/sbin/rsyslogd -n

I'm using systemd on raspberrypi machine with yocto based system. Recently I had some problems with redirecting messages to rsyslog.socket so I decided to get rid of rsyslog completely in favour of of journald. After doing so I have noticed that size of journald files is much bigger than I previously thought it would be. root@rpiDev: ~ $ journalctl -o cat > /tmp/journals-cat.txt root@rpiDev: ~ $ journalctl -o export > /tmp/journals-exp.txt root@rpiDev: ~ $ journalctl -o verbose > /tmp/journals-verb.txt root@rpiDev: ~ $ journalctl -a -m > /tmp/journals.txt ### This is what I need! root@rpiDev: ~ $ journalctl -a -m -o verbose > /tmp/journals-everything.txt root@rpiDev: ~ $ du -sh /tmp/journals* /var/log/journal/ ; journalctl --disk-usage 468.0K /tmp/journals-cat.txt 15.7M /tmp/journals-everything.txt 4.7M /tmp/journals-exp.txt 4.9M /tmp/journals-verb.txt 2.3M /tmp/journals.txt 41.0M /var/log/journal/ Archived and active journals take up 12.5M on disk. Comparing the sizes it looks like binary files created by journald are much bigger than merged (-m) logs. What I actually need is what is inside /tmp/journals.txt. **Question:** Is it possible to reduce amount of stuff stored by journald in it's binary files to what I noticed when running journalctl -a -m? In other words: can I disable storing all of the information that is not important to me and use journald just as I would syslog? My problem can be solved by disabling permanent storing of journald logs and forwarding them to syslog, but maybe it is possible without bringing back rsyslog? EDIT: Parameters mentioned by some users do not help me here. - Using SystemMaxUse= and RuntimeMaxUse= only sets the maximum size of the files stored- I can have smaller files with the same amount of not needed info and therefore even less actual logs. - Using MaxLevel...= sets the maximum log level stored in the journal. That is also not what I need here. EDIT2: My solution: I have decided to store logs in syslog (I use rsyslog).
In my journald.conf I have set Storage=volatile and used SystemMaxUse=64M and RuntimeMaxUse=64M to limit disk usage by journald.
I also enabled ForwardToSyslog=yes so now I have my old syslog solution working and I'm also able to view runtime journald logs.

I have this script make_firewall.sh with rules for iptables: iptables -F iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -j LOG --log-level info --log-prefix='[netfilter] ' iptables -A INPUT -p tcp -j LOG --log-prefix='[netfilter] ' iptables -A INPUT -p tcp -j DROP And I have this at /etc/rsyslog.d/my_iptables.conf : :msg,contains,"[netfilter] " /var/log/iptables.log And too this at /etc/rsyslog.conf : # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging #$ModLoad imklog # provides kernel logging support #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* -/var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog cron.* -/var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err -/var/log/mail.err # # Logging for INN news system. # news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice # # Some "catch-all" log files. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke xconsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole The content of the folder /var/log is (I checked all files on this folder, but I not found nothing from iptables): -rw-r--r-- 1 root root 1593 Jul 1 17:09 alternatives.log drwxr-x--- 2 root adm 4096 Jul 2 10:13 apache2 drwxr-xr-x 2 root root 4096 Jun 20 16:49 apt -rw-r----- 1 root adm 4490518 Jul 14 22:58 auth.log -rw------- 1 root utmp 495361 Jul 14 19:44 btmp -rw-r----- 1 root adm 180921 Jul 14 20:06 daemon.log -rw-r----- 1 root adm 775 Jun 20 16:59 debug -rw-r----- 1 root adm 1 Nov 9 2015 dmesg -rw-r--r-- 1 root root 132769 Jul 14 20:04 dpkg.log drwxr-s--- 2 Debian-exim adm 4096 Jul 1 17:09 exim4 -rw-r----- 1 root adm 4363 Jul 14 19:43 fail2ban.log -rw-r--r-- 1 root root 3424 Jul 1 17:09 faillog drwxr-xr-x 2 root root 4096 Nov 9 2015 fsck -rw-rw-r-- 1 root utmp 31244 Jul 14 19:44 lastlog -rw-r----- 1 root adm 3748 Jul 14 20:06 messages drwxr-s--- 2 mysql adm 4096 Jun 20 17:03 mysql -rw-r----- 1 mysql adm 0 Jun 20 17:03 mysql.err -rw-r----- 1 mysql adm 0 Jun 20 17:03 mysql.log -rw-r----- 1 root adm 2628602 Jul 14 22:58 syslog -rw-rw-r-- 1 root utmp 40704 Jul 14 19:44 wtmp I'm using: Debian 8 (jessie) with iptables v1.4.21 **My question is: why iptables does not generates any log?** Thanks for any help!

I am trying to understand why one of my system has /dev/log as a socket and other has /dev/log as a symbolic link. [ec2-user@ip-171-31-12-17 log]$ file /dev/log /dev/log: symbolic link to /run/systemd/journal/dev-log [ec2-user@ip-171-31-12-18 log]$ file /dev/log /dev/log: socket I have tried checking on other systems and found out most of the RHEL has /dev/log as link not a socket. That means I have to make the other systems /dev/log as a link not socket. Does journalctl logs appear in /var/log/messages ? when i have /dev/log as socket instead of link. How do I make things normal ? By the way OS version is RHEL 7.9 for /dev/log : socket

Can someone explain what the following error in/var/log/syslog means? I don't know if I picked the relevant part, there is a lot more information in the log. Feb 4 10:57:51 chriad-VirtualBox dockerd: time="2019-02-04T10:57:51.039077089+01:00" level=warning msg="grpc: addrConn.createTransport failed to connect to {unix:///run/containerd/containerd.sock 0 }. Err :connection error: desc = \"transport: Error while dialing dial unix /run/containerd/containerd.sock: connect: connection refused\". Reconnecting..." module=grpc Feb 4 10:57:51 chriad-VirtualBox dockerd: time="2019-02-04T10:57:51.039751889+01:00" level=warning msg="grpc: addrConn.createTransport failed to connect to {unix:///run/containerd/containerd.sock 0 }. Err :connection error: desc = \"transport: Error while dialing dial unix /run/containerd/containerd.sock: connect: connection refused\". Reconnecting..." module=grpc Feb 4 10:57:51 chriad-VirtualBox dockerd: time="2019-02-04T10:57:51.039822044+01:00" level=error msg="failed to get event" error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = \"transport: Error while dialing dial unix /run/containerd/containerd.sock: connect: connection refused\"" module=libcontainerd namespace=plugins.moby and this goes on for a long time... What can I do to make this error go away? uname -a Linux chriad-VirtualBox 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux` I use virtualbox 5.2.26. systemctl | grep failed ● apport-autoreport.service loaded failed failed Process error reports when automatic reporting is enabled ● containerd.service loaded failed failed containerd container runtime ● vboxadd-service.service loaded failed failed vboxadd-service.service

Bash version 4.N has apparently the ability to write command-history to syslog, but I can't find information about how to configure this. I have read several pages which offer hacks using the PROMPT_COMMAND, and trap, and I know that there's a patch available, but this should be unnecessary, as it is now built in. I know I can use auditd to capture commands, but I'd like to use the bash/syslog combination.

I have tried to log into journald using logger. logger test, journalctl |grep test does not show any output. The message does not reach journald even though it listening and logger is writing (I checked with strace) to the same socket address /run/systemd/journal/dev-log I foud the message in /var/log/messages, the message appears in syslog messages, and not in journalctl. I checked which process listen to /dev/log, I found both syslog and systemd root@raspberrypi4-64:~# lsof /dev/log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 32u unix 0x0000000077b4fabe 0t0 220 /run/systemd/journal/dev-log type=DGRAM (CONNECTED) systemd-j 129 root 5u unix 0x0000000077b4fabe 0t0 220 /run/systemd/journal/dev-log type=DGRAM (CONNECTED) syslogd 253 root 0u unix 0x000000009c5fe5d3 0t0 601 /run/systemd/journal/dev-log type=DGRAM (CONNECTED) After disabling syslog.service and rebooting, the logger messages are prompted in journalctl logs. 2 daemons bound to the same socket path (but not to same inode), why syslogd receives the messages and not journald ? is there some priority to be respected when two daemons listen to the same socket path? I've read this answer but still does not full answer my question.

I am playing with netcat command. On this linux system, I have set up a netcat listener on UDP 514, so that I get to see syslog messages from remote systems. $ sudo nc -v -ulp 514 listening on [::]:514 ... connect to 192.168.20.252:514 from (null) ([::ffff:192.168.20.5]:58904) 60: *Mar 5 19:57:06.735: %SYS-5-CONFIG_I: Configured from console by console61: *Mar 5 19:57:32.651: %SYS-5-CONFIG_I: Configured from console by console62: *Mar 5 20:10:10.127: %SYS-5-CONFIG_I: Configured from console by console The logs are coming through, but there is no line break between events. I need a line break between events. The terminal output is enough and no need to store the logs. While the logs are not uniform, how can I achieve this?

# Short Version: I want to stop the following message from appearing in my syslog. They pertain to a USB port on my keyboard that can be ignored: Feb 9 23:33:45 sunfire kernel: [ 8163.156041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci I have edited /etc/rsyslog.d/50-default.conf and added a filter: :msg, contains, "3-6.2.4: reset full" and when I restarted the service: /etc/init.d/rsyslog restart it resulted in: Feb 10 00:23:57 sunfire rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="754" x-info="http://www.rsyslog.com "] exiting on signal 15. Feb 10 00:23:57 sunfire rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="3982" x-info="http://www.rsyslog.com "] start Feb 10 00:23:57 sunfire rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ] Feb 10 00:23:57 sunfire rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or before line 62: syntax error on token '' [v8.16.0 try http://www.rsyslog.com/e/2207 ] Feb 10 00:23:57 sunfire rsyslogd-2207: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [v8.16.0 try http://www.rsyslog.com/e/2207 ] Feb 10 00:23:57 sunfire rsyslogd: rsyslogd's groupid changed to 109 Feb 10 00:23:57 sunfire rsyslogd: rsyslogd's userid changed to 105 Feb 10 00:23:57 sunfire systemd[1] : Stopping System Logging Service... Feb 10 00:23:57 sunfire systemd[1] : Stopped System Logging Service. Feb 10 00:23:57 sunfire systemd[1] : Starting System Logging Service... Feb 10 00:23:57 sunfire systemd[1] : Started System Logging Service. Feb 10 00:23:57 sunfire rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ] Feb 10 00:23:57 sunfire rsyslogd-2007: action 'action 10' suspended, next retry is Wed Feb 10 00:24:27 2016 [v8.16.0 try http://www.rsyslog.com/e/2007 ] Feb 10 00:25:49 sunfire kernel: [11287.416037] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci and obviously didn't stop the logging I want to stop. Before I started messing with this too much, I thought I would try and get some help. Thanks. # Long Version: I have a keyboard that when plugged into any of my boxes (mostly running various iterations of Ubuntu all over 14.04 LTS, Raspian, OSX and FreeBSD), reports errors in the syslog. The error in particular is: Feb 9 23:33:45 sunfire kernel: [ 8163.156041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:33:49 sunfire kernel: [ 8166.828038] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:33:55 sunfire kernel: [ 8172.804042] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:34:00 sunfire kernel: [ 8178.172050] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:34:23 sunfire kernel: [ 8201.524041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:35:19 sunfire kernel: [ 8257.340041] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:35:32 sunfire kernel: [ 8270.244043] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci Feb 9 23:35:50 sunfire kernel: [ 8287.876038] usb 3-6.2.4: reset full-speed USB device number 8 using ehci-pci (I've only included so many to show how frequent and consistent they are). I've been searching for a way to have the system "disregard" this type of report basically because I am not concerned with it. The reason being, this is a keyboard that has two USB ports on it and I have never connected anything to it (especially on this box. I have connected a mouse when used with my main box). Most of the answers I have found pertain to filtering the output generally in searches, or particular applications or developer scenarios. I have found this question/answer (Disable logging to syslog ), but the configuration on my (Ubuntu) system points to further config files located in /etc/rsyslog.d/ and neither of the files there have anything that remotely suggests (to me) how to disregard something. That did lead me down further search routes to (Preventing output to /var/log/syslog ) and on to http://www.rsyslog.com/ (particularly Filters ) but as soon as I started playing with that I got an error about an invalid config and obviously didn't cull my unwanted message (above "short" section). Considering it appears that rsyslog was stopped (pid: 754) then I have attacked the right system, but I have done so wrongly. Any help would be appreciated. **A final addition:** When reverting back to the default setting and restarting, 3 of the 5 config errors persisted, which would lead me to believe they are unrelated. ie, These persisted: Feb 10 00:48:12 sunfire rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ] Feb 10 00:48:12 sunfire rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ] Feb 10 00:48:12 sunfire rsyslogd-2007: action 'action 10' suspended, next retry is Wed Feb 10 00:48:42 2016 [v8.16.0 try http://www.rsyslog.com/e/2007 ] and these (expectantly) were no longer present: Feb 10 00:23:57 sunfire rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or before line 62: syntax error on token '' [v8.16.0 try http://www.rsyslog.com/e/2207 ] Feb 10 00:23:57 sunfire rsyslogd-2207: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [v8.16.0 try http://www.rsyslog.com/e/2207 ]

This is a fresh Debian 10 installation that's two-three weeks old. For the last couple of days, my system has been acting up, it would just slow down and I would not be able to use sudo in the terminal as it won't prompt for authentication. When I check CPU usage using htop, it shows that systemd-journald is using quite a lot of CPU, more than 100%. One time there was two or three processes/thread of rsyslogd using around 50% CPU each. I haven't seen rsyslogd using that much CPU after that. Since I could not use sudo, I wasn't able to check the logs, but today I found out that I could just su and become root while sudo wasn't working and I checked the logs. The following is an excerpt from journalctl: Aug 25 22:27:34 asgard systemd-journald: Missed 51 kernel messages Aug 25 22:27:34 asgard kernel: wlp0s20f3: Failed check-sdata-in-driver check, flags: 0x4 Aug 25 22:27:34 asgard kernel: WARNING: CPU: 0 PID: 2221 at net/mac80211/driver-ops.h:19 drv_sta_state+0x265/0x3e0 [mac80211] Aug 25 22:27:34 asgard systemd-journald: Missed 56 kernel messages Aug 25 22:27:34 asgard kernel: drbg ansi_cprng cfg80211 dell_rbtn processor_thermal_device iTCO_vendor_support irqbypass intel_soc_dts_iosf ecdh_generic sg joydev dell_laptop hid_multitouch idma64 crct10dif_pclmul crc32_pclmul int3403_thermal rfkill int3400_thermal int340x_thermal_zone wmi_bmof dell_smo8800 dell_wmi intel_hid pcc_cpufreq dell_smbios dell_smm_hwmon dcdbas intel_pch_thermal ucsi_acpi typec_ucsi dell_wmi_descriptor typec acpi_thermal_rel evdev sparse_keymap pcspkr serio_raw ghash_clmulni_intel acpi_tad acpi_pad ac intel_cstate intel_uncore xt_conntrack nft_compat intel_rapl_perf efi_pstore efivars battery nft_counter nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink efivarfs ip_tables x_tables autofs4 ext4 And the following part from journalctl is all over the log: Aug 25 22:27:34 asgard systemd-journald: Missed 55 kernel messages Aug 25 22:27:34 asgard kernel: crc16 mbcache jbd2 fscrypto ecb btrfs xor zstd_decompress zstd_compress xxhash raid6_pq libcrc32c crc32c_generic sd_mod hid_generic crc32c_intel i2c_designware_platform i2c_designware_core i915 psmouse aesni_intel xhci_pci aes_x86_64 crypto_simd xhci_hcd cryptd glue_helper i2c_i801 ahci libahci libata i2c_algo_bit usbcore r8169 drm_kms_helper realtek sdhci_pci libphy cqhci scsi_mod sdhci drm mmc_core intel_lpss_pci intel_lpss mfd_core usb_common i2c_hid hid wmi video button From dmesg: [ 2420.057787] wlp0s20f3: Failed check-sdata-in-driver check, flags: 0x4 [ 2420.057800] Modules linked in: uinput cmac rfcomm bnep ctr ccm fuse binfmt_misc nf_log_ipv6 ip6t_REJECT nf_reject_ipv6 nls_ascii snd_soc_skl nls_cp437 vfat fat xt_hl ip6_tables ip6t_rt snd_hda_codec_hdmi snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi nf_log_ipv4 snd_hda_codec_realtek nf_log_common snd_soc_core snd_hda_codec_generic ipt_REJECT nf_reject_ipv4 snd_compress xt_LOG snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm uvcvideo intel_rapl snd_timer snd x86_pkg_temp_thermal intel_powerclamp nft_limit coretemp videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common kvm_intel videodev iTCO_wdt soundcore xt_limit arc4 media iwlmvm mac80211 btusb btrtl btbcm btintel bluetooth xt_addrtype kvm iwlwifi xt_tcpudp mei_me mei [ 2420.057845] RSP: 0018:ffffbfd40269f9b0 EFLAGS: 00010282 [ 2420.057850] FS: 0000000000000000(0000) GS:ffff9f0f26200000(0000) knlGS:0000000000000000 [ 2420.057879] __sta_info_flush+0x15e/0x1c0 [mac80211] [ 2420.057892] ieee80211_set_disassoc+0xbe/0x550 [mac80211] [ 2420.057903] ieee80211_mgd_deauth.cold.57+0x47/0x1b5 [mac80211] [ 2420.057914] cfg80211_mlme_deauth+0xb3/0x1d0 [cfg80211] [ 2420.057926] cfg80211_mlme_down+0x66/0x90 [cfg80211] [ 2420.057937] cfg80211_disconnect+0x128/0x1e0 [cfg80211] [ 2420.057946] cfg80211_leave+0x26/0x40 [cfg80211] [ 2420.057954] cfg80211_netdev_notifier_call+0xcd/0x600 [cfg80211] [ 2420.057956] ? syscall_return_via_sysret+0x14/0x83 [ 2420.057957] ? ret_from_fork+0x1a/0x40 [ 2420.057970] ? ieee80211_reconfig+0xd5/0x1420 [mac80211] [ 2420.057984] ? report_bug+0xb0/0xd0 [ 2420.057985] ? inetdev_event+0x46/0x580 [ 2420.057988] notifier_call_chain+0x47/0x70 [ 2420.057992] dev_close_many+0x9f/0x160 [ 2420.058002] cfg80211_shutdown_all_interfaces+0x6d/0xc0 [cfg80211] [ 2420.058015] ? rcu_exp_wait_wake+0x250/0x250 [ 2420.058016] ? try_to_del_timer_sync+0x4d/0x80 [ 2420.058028] process_one_work+0x1a7/0x3a0 [ 2420.058030] worker_thread+0x30/0x390 [ 2420.058031] ? create_worker+0x1a0/0x1a0 [ 2420.058035] ? kthread_bind+0x30/0x30 [ 2420.058043] ------------[ cut here ]------------ [ 2420.058056] Modules linked in: uinput cmac rfcomm bnep ctr ccm fuse binfmt_misc nf_log_ipv6 ip6t_REJECT nf_reject_ipv6 nls_ascii snd_soc_skl nls_cp437 vfat fat xt_hl ip6_tables ip6t_rt snd_hda_codec_hdmi snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi nf_log_ipv4 snd_hda_codec_realtek nf_log_common snd_soc_core snd_hda_codec_generic ipt_REJECT nf_reject_ipv4 snd_compress xt_LOG snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm uvcvideo intel_rapl snd_timer snd x86_pkg_temp_thermal intel_powerclamp nft_limit coretemp videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common kvm_intel videodev iTCO_wdt soundcore xt_limit arc4 media iwlmvm mac80211 btusb btrtl btbcm btintel bluetooth xt_addrtype kvm iwlwifi xt_tcpudp mei_me mei [ 2420.058101] RSP: 0018:ffffbfd40269f9b0 EFLAGS: 00010282 [ 2420.058107] FS: 0000000000000000(0000) GS:ffff9f0f26200000(0000) knlGS:0000000000000000 [ 2420.058136] __sta_info_flush+0x15e/0x1c0 [mac80211] [ 2420.058147] ieee80211_set_disassoc+0xbe/0x550 [mac80211] [ 2420.058159] ieee80211_mgd_deauth.cold.57+0x47/0x1b5 [mac80211] [ 2420.058170] cfg80211_mlme_deauth+0xb3/0x1d0 [cfg80211] [ 2420.058181] cfg80211_mlme_down+0x66/0x90 [cfg80211] [ 2420.058193] cfg80211_disconnect+0x128/0x1e0 [cfg80211] [ 2420.058202] cfg80211_leave+0x26/0x40 [cfg80211] [ 2420.058210] cfg80211_netdev_notifier_call+0xcd/0x600 [cfg80211] [ 2420.058212] ? syscall_return_via_sysret+0x14/0x83 [ 2420.058213] ? ret_from_fork+0x1a/0x40 [ 2420.058238] ? ieee80211_reconfig+0xd5/0x1420 [mac80211] [ 2420.058240] ? report_bug+0xb0/0xd0 [ 2420.058241] ? inetdev_event+0x46/0x580 [ 2420.058245] notifier_call_chain+0x47/0x70 [ 2420.058248] dev_close_many+0x9f/0x160 [ 2420.058269] ieee80211_reconfig+0xa3/0x1420 [mac80211] [ 2420.058271] ? rcu_exp_wait_wake+0x250/0x250 [ 2420.058272] ? try_to_del_timer_sync+0x4d/0x80 [ 2420.058285] worker_thread+0x30/0x390 [ 2420.058288] kthread+0x112/0x130 [ 2420.058291] ret_from_fork+0x1f/0x40 [ 2420.058298] ------------[ cut here ]------------ Similar to journalctl messages, the above logs from dmesg were also repeated endlessly in the dmesg. (I think these dmesg logs were displayed as I tried to shutdown the system when the system hangs, but I couldn't make sure as the messages were rapidly moving.) I thing the slow down is caused by excessive logging as /var/log/kern.log, /var/log/messages and /var/log/syslog are about 23GB each. I am not sure what causes this much errors/logs, but I suspect it's the wi-fi of the laptop. The WiFi chip is an Intel® Wireless-AC 9560 and I have been having some connection issues with wifi. (The wifi would disconnect all of a sudden and the network manager would show device is not ready. When I reboot, the wifi option is gone from Network manager. This has occurred twice and toggling the Secure Boot in UEFI to OFF/ON would fix it.) I didn't notice any trouble with wifi when the system became slow. - Here's another related question from Askubuntu: https://askubuntu.com/questions/1251908/syslog-and-kern-log-keeps-filling-up-and-network-stops-working - A bug report from Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1851185 - An Ubuntu Bug report: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1882419/comments/12 - Bug report from Linux Kernal: https://bugzilla.kernel.org/show_bug.cgi?id=98321 What exactly is happening here and how do I fix this?

Right now, sshd is using the authpriv facility. The level of logging is fine, but I don't want it in the syslog, I want it to go to /var/log/sshd (which doesn't yet exist) on Red Hat Linux/Enterprise Linux. authpriv is configured to go to syslog by syslogd.conf. Do I need to change the facility on sshd to local2 (or any other unused local) for instance, and then direct local2 to /var/log/sshd or is there a better way?

Good evening, I am running multiple cisco routers/switches and a virtualized debian install. In order to have proper forensic capabilities in cse of attack/breach/malfunction I wish to have remote logging of routers/switches messages in a remote facility to be able to read them even in case of hardware shutdown/reboot. My idea was to remotely log messages from the cisco routers to a virtualized debian host running syslog I did this in the past with debian stretch and it worked by setting different facility codes and properly log-rotate with cron job. I now see that bookworm is removing syslog and doing all with journalctl. I see that I can also install cuncurrenlty syslog and configure it as I did, but I wonder if there is a way to avoid having local logging done to the syslog and only remote syslog messages being log to /var/log/* while local system is still handled by journal(d/ctl) I guess I could do the socket listening logging to proper facilities files and local syslog logging to /dev/null but I do not like it .... anybody has done something similar? Or a better idea? I am asking in advance so when I prepare the virtual machine dedicated to logging I can properly set it up. Thanks for any pointers. Fabio

I work on yocto based linux distribution. I'm not expert about systemd and neither about systemd-journald. My C program my_c_program is started at boot by the script my_script.sh. Below there is the file my_script.sh:

my_c_program &
echo $! > /dev/shm/my_c_program.pid

Previous script is started by a service. The unit file of the service is called start_c_program.service. Below there is the unit service:

[Unit]
Description=Start my_c_program
Requires=...
After=...
Before=...

[Service]
Type=forking
ExecStart=/usr/bin/my_script.sh
PIDFile=/dev/shm/my_c_program.pid

[Install]
WantedBy=multi-user.target

With this configuration all instructions printf("message") present in my_c_program add the string "message" to systemd-journald. I know that if I modify my_script.sh to:

my_c_program > /dev/null &
echo $! > /dev/shm/my_c_program.pid

the message on journald are suppressed, but the question is: why all output of my C program directed to stdout is sent to journald? Thanks ___ I was thinking that to send message to journald I had to use the C instruction syslog(), for example by a code as below:

#include
int main(int argc, char** argv) {
    syslog(LOG_INFO, "Start logging");
}

On my actual macOS, there are every day 7 flat files in /var/log of name mail.log* rotating at 23:00: ### 18:20 milky-way:/etc/asl # ls -al /var/log/mail.log* -rw-r-----@ 1 root admin 333712 Dec 3 18:17 /var/log/mail.log -rw-r----- 1 root admin 44272 Dec 2 23:00 /var/log/mail.log.0.gz -rw-r----- 1 root admin 40376 Dec 1 23:00 /var/log/mail.log.1.gz -rw-r----- 1 root admin 37274 Nov 30 23:00 /var/log/mail.log.2.gz -rw-r----- 1 root admin 46093 Nov 29 23:00 /var/log/mail.log.3.gz -rw-r----- 1 root admin 52495 Nov 28 23:00 /var/log/mail.log.4.gz -rw-r----- 1 root admin 53763 Nov 27 23:00 /var/log/mail.log.5.gz -rw-r--r-- 1 root admin 54454 Nov 26 23:00 /var/log/mail.log.6.gz ### 18:20 milky-way:/etc/asl # I would like to get a set of one full month of these flat syslog files i.e. 30. I know these files are generated from the ASL database, and I tried to modify the file to push the store_ttl and ttl to 30. ### 18:24 milky-way:/etc/asl # cat /etc/asl/com.apple.mail # mail facility has its own log file ? [= Facility mail] claim only > /var/log/mail.log mode=0640 format=bsd rotate=seq compress store_ttl=30 ttl=30 file_max=5M all_max=50M * file /var/log/mail.log ### 18:24 milky-way:/etc/asl # And next killed syslogd wigh HUP to make it reload the ASL modules configuration. But I continue to have just 7 /var/log/mail.log*. Which process is making the rotation of these /var/log/mail.log*? How to configure this process? so as to get a full month ( 30 ) of them ?

I have a program which needs syslog to run to correctly work. I am working in an Alpine container with version 3.16.0. As I'm getting multiple errors from the program (weewx), I understood that syslog is not running in the container, so I researched how I should run it, with little success. After installing openrc (apk add --no-cache openrc) I tried to add it as a service as it is suggested on the Alpine wiki , however after running rc-update add syslogd boot I got this error:

-update: service `syslogd' does not exist

I don't have a lot of experience with services, so I decided to ask. What should be the right approach to have syslogd run as a daemon when the container is launched? Right now to get it to run I launch it manually, however it would be great to have it run automatically. Thanks!