0

When configuring rsyslog with tls and using PermittedPeer or streamdriver.authmode name, if an unauthorized peer connects, rsyslog logs error messages like below.

Jan 22 08:56:38 test rsyslogd-2089: netstream session 0x7f177401b740 from 10.0.0.7 will be closed due to error [try http://www.rsyslog.com/e/2089 ] Jan 22 08:56:38 test rsyslogd-2088: error: peer name not authorized - not permitted to talk to it. Names: DNSname: *.test.com; DNSname: test.com; CN: *.test.com; [try http://www.rsyslog.com/e/2088 ]

If the client is persistent, rsyslog logs thousands of these messages.

Is there a way to tell the netstream driver to not log too many of these? I wouldn't mind seeing them to figure out which client is misconfigured or possible abuse, but there is just too many of these.

I am currently using the below entries, which completely discard these messages.

:msg, contains, "peer name not authorized" ~ :msg, regex, ".*netstream session .* from .* will be closed due to error" ~

This by the way generates the below warning message, even though recent documentation says this is the correct way to discard messages.

Jan 22 09:34:22 test: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
Improve this question

2 Answers 2

Reset to default
1

It appears that you want to implement RepeatedMsgReduction.

In your global configuration directives (probably rsyslog.conf):

$RepeatedMsgReduction on

From the Docs:

This directive specifies whether or not repeated messages should be reduced (this is the "Last line repeated n times" feature). If set to on, repeated messages are reduced. If set to off, every message is logged.

Improve this answer
1
  • That is a global option and doesn't have a way to specify which messages should be reduced. I don't want other messages that might be repeating to be reduced. Also, not sure how repeated is calculated but, on a busy server, there will be a lot of other messages in between these, making them not repetitive. Commented Jan 22, 2015 at 17:28
0

I use RainerScript for configuration:

template (name="discard_log" type="string" string="/dev/null") if ($msg regex ".*netstream session .* from .* will be closed due to error") then { action(type="omfile" DynaFile="discard_log") stop }

That would allow you to discard those messages. Or, you may change /dev/null to a dynamic template like /app/var/log/syslog/%fromhost-ip%-%$NOW%.log to log it somewhere separately that you can schedule a job to clean up. Hope that helps.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.