How do I stop postfix log info going into syslog?

We have a vps running Ubuntu 10.04.4 LTS, and while trying to find a solution to a php problem, I've become aware of what looks like a problem with the syslog system - I'm not sure though.

The syslog.conf file looks like this:

    auth,authpriv.*      -/var/log/auth.log
*.*;auth,authpriv.none  -/var/log/syslog
#cron.*          -/var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*              -/var/log/kern.log
lpr.*               -/var/log/lpr.log
mail.*              -/opt/psa/var/log/maillog
user.*              -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info           -/var/log/mail.info
mail.warning            -/var/log/mail.warn
mail.err         -/var/log/mail.err


# Logging for INN news system
#
news.crit        -/var/log/news/news.crit
news.err         -/var/log/news/news.err
news.notice         -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
    auth,authpriv.none;\
    news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warning;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg             *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#   news.=crit;news.=err;news.=notice;\
#   *.=debug;*.=info;\
#   *.=notice;*.=warning    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warning    |/dev/xconsole

And the /var/log/syslog file contains loads of entries like this:

    Jun 10 04:04:00 lvps109-104-93-171 postfix/qmgr[688]: 814E0676E997: removed
Jun 10 04:04:01 lvps109-104-93-171 postfix/smtpd[11105]: connect from mail-we0-f196.google.com[74.125.82.196]

/var/log/mail.info, /var/log/mail.warn, & /var/log/mail.err are all empty despite the above configuration directing the relevant messages to them.

I've tried adding 'mail.* -/var/log/mail.log' to the conf file to see whether I can get the smtp & qmgr messages repeated there, but that log file remains empty too.

I tried changing '*.*;auth,authpriv.none -/var/log/syslog' to *.*;auth,authpriv.none;mail.none -/var/log/syslog to see whether I could stop any postfix messages going into /var/log/syslog, but they continue to go there.

I've been searching for ages to find the command I need to redirect these postfix messages to the mail.log file, but posts I've found only seem to mention the .info, .err, & .warn messages. As far as I have been able to find out , the syslog daemon should be directing them to the relevant files.

So my questions are: How do I redirect the postfix messages away from /var/log/syslog? Why aren't the .warn, .info, & .err messages going where they should be?

Any help gratefully received - Many thanks.


Solution 1:

I guess you're using rsyslog? You have to tell rsyslog to stop process the message after writing into the appropriate file. This can be done with & ~.

mail.*                          -/var/log/mail.info
& ~

Put these lines before the line that contains *.*.

Restart syslog when it's done.

Solution 2:

This is what worked for me in Ubuntu 14.04.1 LTS to keep the mail items out of syslog:

*.*;mail,auth,authpriv.none     /var/log/syslog

And I split the mail logs into errors and non-errors with this, which also is working:

mail.debug;mail.!err    /var/log/mail.log
mail.err        /var/log/mail.err

Basically anything that's .debug level and above goes to mail.log, except for anything that's .err level and above which goes to the mail.err file.

The only thing I can think of that might have caused your mail log files to be empty would be having the - in front of the file path which I think has to do with not writing the log immediately.

Reference: 'Selectors' section of http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Solution 3:

Above, TraceElements said the following was part of the solution, but the first line seems counter-intuitive to me, namely:

*.*;mail,auth,authpriv.none     /var/log/syslog

What does that line do? It looks to me like it should ADD mail messages to /var/log/syslog, yet we are trying to do the opposite here. Ah ha, does it expand to mail.none perhaps? But then why did the OP's attempt at the following solution not work for him/her? That was:

*.*;auth,authpriv.none;mail.none -/var/log/syslog

but s/he said, "to see whether I could stop any postfix messages going into /var/log/syslog, but they continue to go there."

Is it simply that his/her second semi-colon is mucking it all up?

Anyway TraceElement's solution is working for me, on Ubuntu 16.04.2 LTS.

Solution 4:

On Ubuntu 18.04, I just changed a line in /etc/rsyslog.d/50-default.conf

from

*.*;auth,authpriv.none             -/var/log/syslog

to

*.*;auth,authpriv,mail.none        -/var/log/syslog

My understanding:

  • *.* selects messages from all facilities (auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7), with all priorities (debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg))
  • ; starts a new selector
  • auth,authpriv,mail.none selects auth, authpriv and mail facilities with no priority (meaning it selects none of the messages because all messages have a priority). This selector overrides the *.* selector for those particular facilities.