guys<br>
<br>
I've setup a central syslog-ng based server on RHEL4 using version 1.6.6.<br>
<br>
I have the central server set to log things to 2 destinations. Once to the regular logfile and again to an archive file.<br>
I open 2 terminals to it and tail -f both /var/log/messages and the appropriate archive file.<br>
Then I go to one of the clients and do : '/usr/bin/logger test' and watch.<br>
<br>
What is weird is this:<br>
<br>
/var/log/messages shows 'test' right away but the archive log takes about a minute to show it.<br>
<br>
Then on the client I do: /usr/bin/logger test2<br>
<br>
now it doesn't show up on either log<br>
<br>
then on the client i do: /usr/bin/logger test3<br>
<br>
and all of a sudden all 3 testlogs show up in both logs.<br>
<br>
This is not al all consistens though. I can repeat the test and this time it's the arcive log that shows the log first<br>
and /var/log/messages takes sweet time, or both take time. I understand
that it may take a little to send the stuff over the net <br>
but once it has reached the logserver why isn't it sent to both destinations at the same time ?<br>
<br>
INTERESTING NOTE: If I run the stresstest.sh script that comes with the
syslog-ng source on the client I ALWAYS see ALL logs immediately in both<br>
destinations on the log server. I had noticed before that sending a
couple of logs seems to help. As if syslog-ng decides to send logs in
bulk so if there<br>
is only one tiny log it appears to wait till there are more logs
- then it catches up. However, sometimes even a small log show up right
away. Again - <br>
i can't see consistency. Here is my log server syslog-ng.conf.<br>
<br>
###############################################################<br>
# First, set some global options.<br>
<br>
options { use_fqdn(no);<br>
use_dns(yes);<br>
dns_cache(yes);<br>
keep_hostname(yes);<br>
long_hostnames(off);<br>
sync(1);<br>
stats(0);<br>
create_dirs(yes);<br>
perm(0640);<br>
dir_perm(0750);<br>
};<br>
<br>
source src { file("/proc/kmsg");<br>
unix-stream("/dev/log");<br>
internal();<br>
udp (ip("<a href="http://10.152.1.67">10.152.1.67</a>"));<br>
tcp(ip("<a href="http://0.0.0.0">0.0.0.0</a>")<br>
port(5000)<br>
max-connections(1000)<br>
keep-alive(yes));<br>
};<br>
<br>
<br>
destination authlog { file("/var/log/auth"); };<br>
destination cron { file("/var/log/cron"); };<br>
destination uucp { file("/var/log/uucp"); };<br>
destination mail { file("/var/log/mail"); };<br>
destination messages { file("/var/log/messages"); };<br>
destination console { usertty("root"); };<br>
destination console_all { file("/dev/tty8"); };<br>
destination console_file { file("/var/log/console"); };<br>
destination arch { file("/usr/local/var/log_archive/$HOST/$YEAR/$MONTH/$DAY/archive"); };<br>
<br>
<br>
filter f_auth { facility(auth, authpriv); };<br>
filter f_cron { facility(cron); };<br>
filter f_mail { facility(mail); };<br>
filter f_uucp { facility(cron); };<br>
filter f_messages { level(info .. warn) and<br>
not facility(auth, authpriv, cron, mail, news); };<br>
filter f_emergency { level(emerg); };<br>
filter f_notcron { not match("cron.minute)"); };<br>
filter f_auth_junk { not ( match("Accepted publickey for nagios from <a href="http://10.152.48.42">10.152.48.42</a>") or<br>
match("Accepted publickey for nagios from <a href="http://127.0.0.1">127.0.0.1</a>") or<br>
match("Accepted publickey for oracle from ********") or<br>
match("Accepted publickey for oracle from ********") or<br>
match("Accepted publickey for stucky from ********") or<br>
match("Accepted publickey for cfengine from **********") or<br>
match("COMMAND=/usr/local/nagios/home/check_duplex") or<br>
match("reconnecting to LDAP server.+sleeping") or<br>
match("session opened for user nagios") or<br>
match("session closed for user nagios") or<br>
match("session opened for user root"));<br>
};<br>
filter f_junk { not ( match("]: AF_INET client connected from")); };<br>
<br>
log { source(src); filter(f_auth); filter(f_auth_junk); destination(authlog); };<br>
log { source(src); filter(f_cron); filter(f_notcron); destination(cron); };<br>
log { source(src); filter(f_mail); destination(mail); };<br>
log { source(src); filter(f_uucp); destination(uucp); };<br>
log { source(src); filter(f_messages); filter(f_junk); destination(messages); };<br>
log { source(src); filter(f_emergency); destination(console); };<br>
log { source(src); filter(f_emergency); destination(console_file); };<br>
log { source(src); filter(f_auth_junk); filter(f_notcron); destination(arch); };<br>
<br>
<br>
<br>
<br>
and here my syslog-ng.conf from the client:<br>
<br>
###############################################################<br>
# First, set some global options.<br>
<br>
options { use_fqdn(no); <br>
use_dns(yes); <br>
dns_cache(yes); <br>
keep_hostname(yes); <br>
long_hostnames(off); <br>
sync(1); <br>
stats(0);<br>
create_dirs(yes); <br>
};<br>
<br>
<br>
source src { file("/proc/kmsg");<br>
unix-stream("/dev/log");<br>
internal(); <br>
};<br>
<br>
<br>
destination authlog { file("/var/log/auth"); };<br>
destination cron { file("/var/log/cron"); };<br>
destination kern { file("/var/log/kernel"); };<br>
destination uucp { file("/var/log/uucp"); };<br>
destination mail { file("/var/log/mail"); };<br>
destination messages { file("/var/log/messages"); };<br>
destination console { usertty("root"); };<br>
destination console_all { file("/dev/tty8"); };<br>
destination console_file { file("/var/log/console"); };<br>
destination loghost { tcp("logger" port(5000)); };<br>
<br>
<br>
filter f_authpriv { facility(auth, authpriv); };<br>
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };<br>
filter f_cron { facility(cron); };<br>
filter f_daemon { facility(daemon); };<br>
filter f_kern { facility(kern); };<br>
filter f_mail { facility(mail); };<br>
filter f_user { facility(user); };<br>
filter f_uucp { facility(cron); };<br>
filter f_messages { level(info .. warn) and not <br>
facility(auth, authpriv, cron, daemon, mail); };<br>
filter f_emergency { level(emerg); };<br>
<br>
filter f_info { level(info); };<br>
filter f_notice { level(notice); };<br>
filter f_warn { level(warn); };<br>
filter f_crit { level(crit); };<br>
filter f_err { level(err); };<br>
<br>
filter f_cnews { level(notice, err, crit) and facility(news); };<br>
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };<br>
<br>
filter f_nagios { not ( match("Accepted publickey for nagios from *********") or<br>
match("COMMAND=/usr/local/nagios/home/check_duplex") or<br>
match("session opened for user nagios") or<br>
match("session closed for user nagios"));<br>
<br>
log { source(src); filter(f_authpriv); filter(f_nagios); destination(authlog); };<br>
log { source(src); filter(f_cron); destination(cron); };<br>
log { source(src); filter(f_daemon); destination(messages); };<br>
log { source(src); filter(f_kern); destination(kern); };<br>
log { source(src); filter(f_kern); destination(messages); };<br>
log { source(src); filter(f_mail); destination(mail); };<br>
log { source(src); filter(f_user); destination(messages); };<br>
log { source(src); filter(f_uucp); destination(uucp); };<br>
log { source(src); filter(f_messages); destination(messages); };<br>
log { source(src); filter(f_emergency); destination(console); };<br>
log { source(src); filter(f_cnews); destination(console_all); };<br>
log { source(src); filter(f_cother); destination(console_all); };<br>
log { source(src); filter(f_emergency); destination(console_file); };<br>
log { source(src); filter(f_cnews); destination(console_file); };<br>
log { source(src); filter(f_cother); destination(console_file); };<br>
log { source(src); filter(f_nagios); destination(loghost); };<br>
<br clear="all"><br>
This may also be a good opportunity to have someone check whether my configs are sane at all. I'm not 100% sure about them.<br>
I don't really want to log to all kinds of different files, rather I
want to have mail stuff go to mail, cron stuff to cron, auth stuff to
auth<br>
and the rest to messages.<br>
<br>
help would be appreciated.<br>-- <br>stucky