Sometimes it is calming to watch your server logs scroll by, mh, a wonky IP wants to ssh into my box, oh a new email is coming in, hehe no spammer, this email is going to be rejected.. But some log entries are just an annoyance. Oh, my email client is logging in again and out.. and in again. Let’s get rid of these. I use syslog-ng for all logging porposes so I will only focus on its configuration possibilities.

I have 3 main logfiles, boring cron output, all things mail and everything else.

destination mail { file("/var/log/mail.log"); };
destination cron { file("/var/log/cron.log"); };
destination messages { file("/var/log/messages"); };

Settings for dovecot dovecot login/logout messages:

filter f_imaplogin { program("dovecot") and (match("(imap-login:.*|.* Disconnected:.*)" value("MESSAGE"))) };
filter f_mail { facility(mail) and not filter(f_imaplogin); };

And as a second example of useless log entries I want to eradicate log entries by monit which tests if my sshd is still running in its every cycle.

filter f_monitssh { program("sshd") and message("Connection closed by") };
filter f_messages { not facility(mail,cron) and not filter(f_monitssh); };

As cron is fine and boring, no filtering here

filter f_cron { facility(cron); };

That’s basically it. Now the only thing left to do is telling syslog-ng where to put all these precious log entries.

log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_mail); destination(mail); };

Restart your syslog-ng and enjoy the silence.