melissaboiko/10-noisy.conf

## 10-noisy.conf
# /etc/rsyslog.d/10-noisy.conf
# filter out some noisy messages

# most software doesn't set $syslogtag, so you need to look for the identifier in the message.
# the problems here are baffling:
# - for reasons unknown, the message often starts with a space, though not necessarily
# - this makes it cumbersome to impossible to rely on `starts_with`
# - regexpes are significantly slower
# - `contains` is slower than `starts_with`, and may give false positives
# - the `ltrim()` function can't easily be applied to an action
# - you could potentially register a variable with the trimmed message, but this is making
#   your setup dependent on rsyslog-specific, undocumented, potentially ephemeral behaviour.

# my compromise is to accept false positives and go for a `contains` with the dæmon identifier
# followed by a colon.  most software has a way to add a prefix to $msg, including nftables.
# I additionally filter by $syslogfacility to reduce false positives.

# don't forget to add logrotate entries to these logfiles.

if $msg contains "nft:" and $syslogfacility-text == "kern" then {
    action(type="omfile" file="/var/log/nftables.log")
    stop
}
if $msg contains "iptables:" and $syslogfacility-text == "kern" then {
    action(type="omfile" file="/var/log/iptables.log")
    stop
}
if $msg contains "audit:" and $syslogfacility-text == "kern" then {
    action(type="omfile" file="/var/log/audit.log")
    stop
}

# vim: set ft=rsyslog

## noisy-rsyslog
# /etc/logrotate.d/noisy-rsyslog
# custom rsyslog files

/var/log/nftables.log
/var/log/iptables.log
/var/log/audit.log {
    rotate 14
    daily
    missingok
    notifempty
    compress
    delaycompress
    postrotate
      /usr/lib/rsyslog/rsyslog-rotate
    endscript

    # uses date as extensions for old logs
    # (foo.log.20220901 rather than foo.log.1)
    dateext
    dateformat .%Y%m%d
    # uses the date of log messages, not the date of rotation
    dateyesterday
}
# vim: ft=conf
	# /etc/rsyslog.d/10-noisy.conf
	# filter out some noisy messages

	# most software doesn't set $syslogtag, so you need to look for the identifier in the message.
	# the problems here are baffling:
	# - for reasons unknown, the message often starts with a space, though not necessarily
	# - this makes it cumbersome to impossible to rely on `starts_with`
	# - regexpes are significantly slower
	# - `contains` is slower than `starts_with`, and may give false positives
	# - the `ltrim()` function can't easily be applied to an action
	# - you could potentially register a variable with the trimmed message, but this is making
	# your setup dependent on rsyslog-specific, undocumented, potentially ephemeral behaviour.

	# my compromise is to accept false positives and go for a `contains` with the dæmon identifier
	# followed by a colon. most software has a way to add a prefix to $msg, including nftables.
	# I additionally filter by $syslogfacility to reduce false positives.

	# don't forget to add logrotate entries to these logfiles.

	if $msg contains "nft:" and $syslogfacility-text == "kern" then {
	action(type="omfile" file="/var/log/nftables.log")
	stop
	}
	if $msg contains "iptables:" and $syslogfacility-text == "kern" then {
	action(type="omfile" file="/var/log/iptables.log")
	stop
	}
	if $msg contains "audit:" and $syslogfacility-text == "kern" then {
	action(type="omfile" file="/var/log/audit.log")
	stop
	}

	# vim: set ft=rsyslog
	# /etc/logrotate.d/noisy-rsyslog
	# custom rsyslog files

	/var/log/nftables.log
	/var/log/iptables.log
	/var/log/audit.log {
	rotate 14
	daily
	missingok
	notifempty
	compress
	delaycompress
	postrotate
	/usr/lib/rsyslog/rsyslog-rotate
	endscript

	# uses date as extensions for old logs
	# (foo.log.20220901 rather than foo.log.1)
	dateext
	dateformat .%Y%m%d
	# uses the date of log messages, not the date of rotation
	dateyesterday
	}
	# vim: ft=conf