[syslog-ng] Weird issue

Didier Conchaudron didier at conchaudron.net
Wed May 3 11:25:06 CEST 2006 

Hi folks,

I've a loghost receiving tons of logs from many servers and I'm experiencing
problems regarding 2 destinations: a log forwarding to another server, and
written logs for each servers.

The logs forwarding work for most of the servers described into the filter
written bellow, but some logs from some servers are not forwarded. First I
think about a mistake into my regexp. For example, for the server
ptcassidc01.ad5.ad.foo.com , I tried host("ptcassidc01.ad5.ad.foo.com"),
host("ptcassidc01*"), and host("ptcassidc01") but none works.

For the written log files I've the same problem, the logs which are not
forwarded are not written too.

So I'm thinking of a filter issue. Maybe it's too big and it can't be parsed
rightly. It's not a network issue, the network load is about 250 Kb/sec.

Regards,

Didier Conchaudron



Here're the destinations:

destination dest_soc_pilot_project {
       udp("an ip address" port(514) );
};
destination dest_soc_exaprotect_agent {
       file("/data/logs/exaprotect/$HOST" owner(syslog) group(syslog)
perm(0644));
};

Here's the filter I use:

filter f_soc_pilot_project {
        level(info...emerg)
        and not facility(mail)
        and (
                host("bcv51se9")
                or  host("bcv50s56")
                or  host("bcv50s9b")
                [ many many others, maybe 100 ]
                or  host("plwarsidc01")
                or  host("ptcassidc01")
        );
};

And finaly the log statements:

log { source(net); filter(f_soc_pilot_project);
destination(dest_soc_pilot_project); };
log { source(local); filter(f_soc_pilot_project);
destination(dest_soc_pilot_project); };
log { source(net); filter(f_soc_pilot_project);
destination(dest_soc_exaprotect_agent); };
log { source(local); filter(f_soc_pilot_project);
destination(dest_soc_exaprotect_agent); };

Here're the main options:

options {
        owner("root");
        group("root");
        dir_perm(0750);
        perm(0640);
        log_fifo_size(10000);
        chain_hostnames(no);
        keep_hostname(yes);
        check_hostname(yes);
        use_dns(yes);
        dns_cache(yes);
        dns_cache_size(1000);
        dns_cache_expire(36000);
        dns_cache_expire_failed(900);
        use_fqdn(yes);
        create_dirs(yes);
        use_time_recvd(no);
        stats(6000);
        sync(50);
};

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the syslog-ng mailing list