21

I want to stop rsyslog logging these messages.

[168707.740364] TCP: Peer 192.168.100.1:46199/41503 unexpectedly shrunk window 2027330493:2027331431 (repaired)

I tried this in the /etc/rsyslog.conf but the messages are still logged.

if $msg contains 'unexpectedly' then /dev/null

Can anyone point me in the right direction?

Improve this question
1
  • echo ":msg, contains, \"unexpectedly shrunk\" stop" > /etc/rsyslog.d/123-custom.conf && systemctl restart rsyslog.service && systemctl status rsyslog.service Commented Nov 21, 2022 at 10:28

4 Answers 4

Reset to default
16

If you use a recent version of rsyslog (7 for example), you need to do

& stop

after your message. Failing to do so will give you

warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
Improve this answer
6

rsyslog needs a statement to stop logging after the match. Add this line immediately after the if statement you already have. 

& ~

You may also need to move both statement up in the conf file so that they are parsed before some of the other statements which might be logging them to messages. I change my rsyslog config to look like the following

/etc/rsyslog.conf ($IncludeConfig /etc/rsyslog.d/*.conf) /etc/rsyslog.d/40-specificdaemon.conf /etc/rsyslog.d/99-general.conf

This ensures the order I want and makes it easy for config management to push out updates.

Improve this answer
1
  • 4
    & ~ is deprecated in newer versions of rsyslog: rsyslog.com/doc/v8-stable/compatibility/v7compatibility.html. The ~ is also known as the discard action, if you search that page you'll see the note about it. You should be using & stop going forward. Commented Aug 31, 2015 at 17:40
1

These 2 commands seems to be working for me to stop logging lines containing "unexpectedly shrunk":

echo ":msg, contains, \"unexpectedly shrunk\" stop"|sudo tee -a /etc/rsyslog.d/123-custom.conf sudo systemctl restart rsyslog.service && systemctl status rsyslog.service

That .conf file then contains:

:msg, contains, "unexpectedly shrunk" stop

and you can add same text on second line while using another string which you do not want to be logged. Journalctl continue to show that lines, but log files no longer contain it.

Improve this answer
0

The command is "$stop", not "$ stop". There's a huge difference there.

Improve this answer
2
  • 10
    Please clarify. As far as I know, it is if ... then stop or & stop. Never seen a $stop variable mentioned anywhere. Did I miss something? Commented Jan 23, 2016 at 17:39
  • 1
    I think this is incorrect, it's ampersand- not dollar sign. Downvoted. Commented Jan 22, 2021 at 15:57

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.