Information Overload! Syslog filtering

jonathan Domoticz, Linux Leave a Comment

I’m trying to ease myself back into a blogging routine so I thought it might be useful to post about an issue I always see with linux server and applications that use syslog, information overload!!

Generally, my posts are fairly long so you can skip through a lot of it but I like to document where and why I ended up at a decision. Please also forgive any grammar and spelling mistakes, after all I did study computer science and not literature.

Just to give a quick bit of background, I’ve been using Domoticz as a home automation platform for a number of years, controlling various sensors and switches. It’s configured on a raspberry pi from source install on top of the Raspbian OS.

By default, all system logs are written to ‘/var/log/syslog’ with some exceptions that separate unique events into individual files for ease of use but again, based on the default config, most events are duplicated in the ‘/var/log/syslog’ file.

This means that chatty programs such as Domoticz will spew its event data into the syslog log file making it very difficult to troubleshoot system issues.

On a side note, in recent years Debian and thus Raspbian has moved from syslogd to rsyslog which introduces a number of flexibilities. The location of the rsyslog is ‘/etc/rsyslog.conf’

I decided it was about time to fix this so my first attempt was to change the syslog facility on Domoticz to a facility I was using, specifically local1 but when I put the standard filter config into the configuration file, it didn’t stop it also printing into the syslog log file.

I then read that with rsyslog you can add conditional statements which allows you to filter logs events by application process and then stop any further rsyslog conditions from being processed for the process defined.

A quick restart of rsyslog process with the command ‘sudo systemctl restart rsyslog.service’ and everything appear to work but after checking all the individual logs, I noticed that logs where now showing up in the messages.log file. After reviewing the rsyslog config fie, I noticed there was a ‘catch all’ which I needed to modify to exclude the local1 facility which Domoticz is using.

I didn’t want to file up the raspberry pi’s storage with log events so as final step I need to modify the log configuration logrotate process to include the rotation of the new created domoticz.log file. You could just modify the logrotate rsyslog configuration located in ‘/etc/logrotate.d/rsyslog’ and add the ‘/var/log/domoticz’ to the default log rotation but instead a created a new ‘/etc/logrotate.d/domoticz’ file and adding my configuration into that. Restart the logrotate process with the command ‘sudo systemctl restart logrotate.service’ and we’re done!

 

Rsyslog Rule Configuration

RsyslogConf

 

Log Rotate Domoticz Configuration

LogRoDom

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.