rsyslog, is there a way to see the facility codes of messages recieved?

I have a cisco ftd sending logs to tagged with local3(19) however I am still seeing some messages ending up in my users.log instead of where i have them configured to be sent. Is that where they would end up if untagged? or is there was way to verify they are being tagged with ‘user’ or facility code 1? I do not have user commented out in my rsyslog.conf.

Go to Source
Author: Security_Pete

How to stop truncate command safely

I am trying to empty my syslog.1 file which was flooded with some messages and has the size of 77 GB. I did

sudo truncate -s 0 /var/log/syslog.1

but the command is taking more than 2 hours to return. Is it safe to stop it by Ctrl-C or by the kill command? I am afraid that these methods may cause inconsistency in the file system. Is there a better way?

The system is Ubuntu 16.04. The root partition where /var/log/syslog.1 sits is almost full due to the sudden increase in size of this file as well as /var/log/syslog and /var/log/kern.log. The latter files are still continuing to grow, but the command line is still responsive.

Go to Source
Author: norio

logrotate – file owner issue

I want to rotate the syslog for testing.

sudo logrotate -f /var/log/syslog
[sudo] password for stephen: 
error: Ignoring /var/log/syslog because the file owner is wrong (should be root or user with uid 0).

Owner is like this :

ll /var/log/syslog
-rw-r----- 1 syslog adm 268K 2020-08-01 08:39 /var/log/syslog

Okay but let’s try with a root shell.

#echo $UID
0
#logrotate -f /var/log/syslog
error: Ignoring /var/log/syslog because the file owner is wrong (should be root or user with uid 0).

Where is the error? What is the workaround?

Go to Source
Author: Stephen Boston