18

I want to stop rsyslog logging these messages.

[168707.740364] TCP: Peer 192.168.100.1:46199/41503 unexpectedly shrunk window 2027330493:2027331431 (repaired)

I tried this in the /etc/rsyslog.conf but the messages are still logged.

if $msg contains 'unexpectedly' then /dev/null

Can anyone point me in the right direction?

Stephen
  • 191
  • 1
  • 2
  • 7

3 Answers3

12

If you use a recent version of rsyslog (7 for example), you need to do

& stop

after your message. Failing to do so will give you

warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
Karel
  • 629
  • 9
  • 16
6

rsyslog needs a statement to stop logging after the match. Add this line immediately after the if statement you already have. 

& ~

You may also need to move both statement up in the conf file so that they are parsed before some of the other statements which might be logging them to messages. I change my rsyslog config to look like the following

/etc/rsyslog.conf ($IncludeConfig /etc/rsyslog.d/*.conf)
/etc/rsyslog.d/40-specificdaemon.conf
/etc/rsyslog.d/99-general.conf

This ensures the order I want and makes it easy for config management to push out updates.

kashani
  • 3,922
  • 18
  • 18
  • 4
    `& ~` is deprecated in newer versions of rsyslog: http://www.rsyslog.com/doc/v8-stable/compatibility/v7compatibility.html. The `~` is also known as the discard action, if you search that page you'll see the note about it. You should be using `& stop` going forward. – slm Aug 31 '15 at 17:40
1

The command is "$stop", not "$ stop". There's a huge difference there.

Marius Flage
  • 64
  • 2
  • 9
    Please clarify. As far as I know, it is `if ... then stop` or `& stop`. Never seen a `$stop` variable mentioned anywhere. Did I miss something? – mivk Jan 23 '16 at 17:39
  • I think this is incorrect, it's ampersand- not dollar sign. Downvoted. – Mike S Jan 22 '21 at 15:57