I have Centos 6 servers running openLDAP. In the rsyslog.conf, I forward the logs to my central server with this line:
*.* @10.10.10.10:514
openldap seems incredibly chatty. I have 3 servers in a multi-master cluster. Those 3 servers generate twice as many logs as my other 80 servers combined.
I have been unsuccessful in figuring out how to tell openLDAP to use a sensible log level. (we never specifically set the log level) Since these are my main authentication sources, I'm a bit hesitant to "play around" with them. Is there a way to tell rsyslog to forward everything EXCEPT LOCAL4?
I discovered the solution. OpenLDAP uses the syslog facility LOCAL4 by default, and in my centos6 servers, that is not defined.
However, I have the
which includes local4, which was not defined elsewhere.
In order to specifically exclude (I noticed this on the line that deals with /var/log/messages) I can just do this:
I could also combine this with others, like:
In the above, it appears from my testing that forwards everything, except local4, or anything "below" debug on mail, or error on local7
This appears to keep my logstash data much, much clearer.