Web lists-archives.com

Re: question on spamd logging




	Hi.

On Sat, Aug 25, 2018 at 01:49:53PM -0400, Gene Heskett wrote:
> > > Aug 25 12:11:35 coyote spamd[4707]: prefork: child states: II
> > >
> > > Several hundred a day...
> >
> > Try this:
> >
> > cat > /etc/rsyslog.d/spamd.conf << EOF
> >
> > :syslogtag, startswith, "spamd" /var/log/spamd.log
> > :syslogtag, startswith, "spamd" stop
> >
> > EOF
> >
> > service rsyslogd restart
> >
> no permission

I assumed that I could skip obligatory 'please assume root privileges
before making systemwide changes'. Apparently I was wrong, but …


> so I cd to e/rs.d sudo -i and made this file
> :syslogtag, startswith, "spamd" /var/log/spamd.log
> :syslogtag, startswith, "spamd" stop

… since things worked out themselves, we now have this:


> And had to do the restart as root, which logged this:
> Aug 25 13:34:45 coyote rsyslogd: [origin software="rsyslogd" 
> swVersion="7.6.3" x-pid="3079" x-info="http://www.rsyslog.com";] exiting 
> on signal 15.
> Aug 25 13:34:45 coyote rsyslogd: [origin software="rsyslogd" 
> swVersion="7.6.3" x-pid="23099" x-info="http://www.rsyslog.com";] start

These two are you usual rsyslogd restart. Nothing to see here.


> Aug 25 13:34:45 coyote rsyslogd-3000: unknown priority name ""
> 
> No clue what that error might be, you?

But this one is sure cryptic. Even if one takes [1] into the account.
It's been awhile since I've tinkered with wheezy's rsyslogd, try
replacing "stop" with "~". I.e. replace:

:syslogtag, startswith, "spamd" stop

with:

:syslogtag, startswith, "spamd" ~


> Thanks Reco.

You're welcome.


> > Consider adding logrotate configuration file for the new
> > /var/log/spamd.log.
> >
> > And, before you ask, documentation for rsyslogd lives in "rsyslog-doc"
> > package.
> 
> Synaptic says its installed, but its not on /usr/share?

It should be /usr/share/doc/rsyslogd-doc.
I made a habit doing 'dpkg -L …' on newly installed packages.


> Ahh, found it but no mention of that exact syntax of :syslogtag

To put it simply, it's that thing that follows hostname in your typical
syslog entry. Usually comes in format "process_name[process_pid]".
In this case it's "spamd[4707]".

[1] https://www.rsyslog.com/?s=error+3000

Reco