Reduce the number of identical log messages

Q Can you help me reduce the number of identical log messages? When I first started using Linux there were lines of 'message repeated x times', but these have become rare. The problem is not really the size of the files but the difficulty of finding importan single messages. I have appended below some of the common sequences that occur with Mepis 3.4. The first group of messages comes from my Zip drive breaking up the log through booting and beyond. The larger figure is the total size of the disc. Only the smaller is supplied by the partition table. The second group looks as if something is sending pings at one-minute intervals. So is the local IP address and is remote. The third group produces hundreds of these messages within a few seconds but this occurs only occasionally. You can see the signs of a race condition. There seems to be little effect on the functioning of my machine but I would like to be able to find more serious errors without having to trawl through so much guff. Here are examples of the messages:

Jul 18 19:07:40 localhost kernel: hdd: The disk
reports a capacity of 752896000 bytes, but the
drive only handles 752877568
Jul 18 19:07:40 localhost kernel: hdd: hdd4
Jul 18 19:13:20 localhost kernel: martian source from, on dev eth1
Jul 18 19:13:20 localhost kernel: ll header: ff:ff:ff:ff:
Jul 18 19:14:00 localhost kernel: [unmap_page_range+217/232] unmap_page_range+0xd9/0xe8
Jul 18 19:14:00 localhost kernel: [unmap_vmas+172/376] unmap_vmas+0xac/0x178
Jul 18 19:14:00 localhost kernel: [unmap_region+125/242] unmap_region+0x7d/0xf2

A I can think of three approaches to this. The first is to investigate the cause of the messages and deal with it, preventing them ever appearing. The system.txt file you sent was extremely helpful, as it helps pinpoint the cause of the third set of messages, which occur because you are using a 2.6.15 kernel with an Nvidia graphics card. The solution is to either upgrade to a newer kernel, or install SimplyMepis 6.0. The 'martian' network entries refer to unroutable packets. In this case they are coming from an unroutable address - You can stop their being logged by doing echo "0" >/proc/sys/net/ipv4/ip_log_martians as root, but it would be a good idea to find the cause first. These could be caused by faulty or misconfigured network equipment, or they could be a sign of someone trying to exploit your computer. If they still occur while your network is disconnected from the internet, the cause is local, otherwise check your firewall. The Zip error may be unavoidable, which brings us to the next approach: filter out everything you don't want to see. Run the logfile through grep to remove the 'noise' before viewing it, for example

grep -v -f /var/log/filter /var/log/messages | less

where /var/log/filter is a file containing the patterns you wish to filter out, one per line, such as

localhost kernel: *hdd:

The third approach to try is the most comprehensive, but also the most complex. You can configure the system logger to filter messages into different files (or even /dev/null). Mepis uses sysklogd, which has fairly limited filtering. You could replace sysklogd with syslog-ng and put this in /etc/syslog-ng/syslog-ng.conf to have all messages relating to hdd sent to a separate file.

destination messages { file("/var/log/messages"); };
destination d_zip { file("/var/log/zip"); };
filter f_zip { match("hdd"); };
filter f_nozip { not match("hdd"); };

Then replace the line that reads log {source(src); destination(messages); };' with

log { source(src); filter(f_nozip); destination(messages); };
log { source(src); filter(f_zip); destination(d_zip); };

The first filter matches all messages about hdd, which are sent to a separate file. The second matches those that don't contain hdd, which go to the standard log. You may need to tweak the search string, but keep it the same for both filters or you could lose messages.

Follow us on or Twitter

Username:   Password:
Create Account | About TuxRadar