<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
Thank you Evan, does hostname chaining also force multiple logging?&nbsp; If now, does anyone know why I am logging my data to two locations instead of just one?<br><br>By the way, any good references to writing a good .conf file for this would be greatly appreciated.<br><br>Thanks again.<br><br>.vp<br><br>&gt; Date: Thu, 17 Jan 2008 14:26:43 -0800<br>&gt; From: erempel@uvic.ca<br>&gt; To: syslog-ng@lists.balabit.hu<br>&gt; Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad        Filter???<br>&gt; <br>&gt; You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most<br>&gt; directly logging hosts (no other relay syslogs).<br>&gt; <br>&gt; Try using a $FULLHOST_FROM or $HOST<br>&gt; <br>&gt; Evan Rempel<br>&gt; <br>&gt; wiskbroom@hotmail.com wrote:<br>&gt; &gt; Hello;<br>&gt; &gt; <br>&gt; &gt; I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.<br>&gt; &gt; <br>&gt; &gt; For instance, I have a host named linksys-1000, logs for this host get sent into:<br>&gt; &gt; <br>&gt; &gt; /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log<br>&gt; &gt; <br>&gt; &gt; as well as <br>&gt; &gt; <br>&gt; &gt; /var/log/ABCcorp/linksys-1000/linksys-1000.log<br>&gt; &gt; <br>&gt; &gt; Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.<br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; Thanks all,<br>&gt; &gt; <br>&gt; &gt; .vp<br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; Here is a sample of my config file:<br>&gt; &gt; <br>&gt; &gt; ###########<br>&gt; &gt; # Destinations #<br>&gt; &gt; ##########<br>&gt; &gt; <br>&gt; &gt; destination D_switch       { file("/var/log/ABCcorp/switches/$FULLHOST.log"<br>&gt; &gt;                              perm(0644)); };<br>&gt; &gt; destination D_edge         { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log"                        perm(0644)); };<br>&gt; &gt; destination D_firewall     { file("/var/log/ABCcorp/firewalls/$FULLHOST.log"                           perm(0644)); };<br>&gt; &gt; destination D_router       { file("/var/log/ABCcorp/routers/$FULLHOST.log"<br>&gt; &gt;                              perm(0644)); };<br>&gt; &gt; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log"<br>&gt; &gt;                              perm(0644)); };<br>&gt; &gt; destination D_udp          { file("/var/log/ABCcorp/$FULLHOST.log"<br>&gt; &gt;                              perm(0644)); };<br>&gt; &gt; <br>&gt; &gt; destination D_hosts          { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"<br>&gt; &gt;                              owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };<br>&gt; &gt; <br>&gt; &gt; #######<br>&gt; &gt; # Filters #<br>&gt; &gt; #######<br>&gt; &gt; <br>&gt; &gt; destination D_db_discard     { file("/var/log/discard.log"); };<br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; destination D_db_mysql {<br>&gt; &gt;         pipe("/var/log/mysql.pipe"<br>&gt; &gt;                 template("INSERT INTO logs<br>&gt; &gt;                 (host, facility, priority, level, tag, datetime, program, msg)<br>&gt; &gt;                 VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',<br>&gt; &gt;                 '$PROGRAM', '$MSG' );\n") template-escape(yes));<br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; filter F_edge        { host("edge*") or host("192.116.*"); };<br>&gt; &gt; filter F_router      { host("gw*") or host("rtr") or host("router"); };<br>&gt; &gt; filter F_switch      { host("sw*") or host("sw1") or host("sw2"); };<br>&gt; &gt; filter F_firewall    { host("^fw*"); };<br>&gt; &gt; filter F_accesspoints { host("^linksys*"); };<br>&gt; &gt; filter F_InternetIP  { host("192.116.19.*"); };<br>&gt; &gt; <br>&gt; &gt; #######<br>&gt; &gt; #  Logs   #<br>&gt; &gt; #######<br>&gt; &gt; <br>&gt; &gt; log { source(S_udp); filter(F_switch); destination(D_switch); };<br>&gt; &gt; log { source(S_udp); filter(F_router); destination(D_router); };<br>&gt; &gt; log { source(S_udp); filter(F_edge); destination(D_edge); };<br>&gt; &gt; log { source(S_udp); filter(F_firewall); destination(D_firewall); };<br>&gt; &gt; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };<br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; log { source(S_udp); destination(D_udp);};<br>&gt; &gt; log { source(S_udp); destination(D_db_mysql); };<br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; <br>&gt; &gt; ------------------------------------------------------------------------<br>&gt; &gt; <br>&gt; &gt; _______________________________________________<br>&gt; &gt; syslog-ng maillist  -  syslog-ng@lists.balabit.hu<br>&gt; &gt; https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>&gt; &gt; Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br>&gt; &gt; <br>&gt; <br>&gt; _______________________________________________<br>&gt; syslog-ng maillist  -  syslog-ng@lists.balabit.hu<br>&gt; https://lists.balabit.hu/mailman/listinfo/syslog-ng<br>&gt; Frequently asked questions at http://www.campin.net/syslog-ng/faq.html<br>&gt; <br></body>
</html>