我在远程 rsyslog 服务器上收到重复信息:尽管我已经配置了从邮件服务器捕获 clamav 日志的捕获 - 我仍然看到日志出现在 syslog 中
# Configuration for Mail ClamAV logs in rsyslog.d
if ($fromhost contains "mail") and ($programname contains "clam") then {
action(type="omfile" file="/var/log/mail-clam.log")
}
邮件蛤.log:
Jan 3 11:32:07 mail2 freshclam[265]: Received signal: wake up
Jan 3 11:32:07 mail2 freshclam[265]: ClamAV update process started at Thu Jan 3 11:32:07 2019
Jan 3 11:32:07 mail2 freshclam[265]: main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jan 3 11:32:07 mail2 freshclam[265]: daily.cld is up to date (version: 25264, sigs: 2197013, f-level: 63, builder: raynman)
Jan 3 11:32:07 mail2 freshclam[265]: bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
系统日志:
Jan 3 11:32:07 mail2 freshclam[265]: Received signal: wake up
Jan 3 11:32:07 mail2 freshclam[265]: ClamAV update process started at Thu Jan 3 11:32:07 2019
Jan 3 11:32:07 mail2 freshclam[265]: main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Jan 3 11:32:07 mail2 freshclam[265]: daily.cld is up to date (version: 25264, sigs: 2197013, f-level: 63, builder: raynman)
Jan 3 11:32:07 mail2 freshclam[265]: bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
我在 rsyslog.conf 中有以下行排除日志:
*.*;auth,authpriv,mail.none -/var/log/syslog
我不知道如何$programname从系统日志中排除?解决这个问题的正确方法是什么?
*.*;auth,authpriv,mail.none,if ($programname contains "clam") then {} -/var/log/syslog
或者可以以某种方式引用 if 语句吗?
答案1
配置文件中的规则rsyslog是从上到下评估的。因此,您只需在必要的处理后删除日志消息即可实现选择性日志记录。 “停止”操作用于丢弃日志消息。
根据您的情况,将 rsyslog.conf 文件修改为:
if ($fromhost contains "mail") and ($programname contains "clam") then {
action(type="omfile" file="/var/log/mail-clam.log")
stop
}
...
*.*;auth,authpriv,mail.none -/var/log/syslog
使用此配置,所有与表达式匹配的消息都会记录到 /var/log/mail-clam.log,然后被丢弃。这将阻止这些消息被进一步处理,从而被记录到 /var/log/syslog。