On 4/28/05, Andrew Culver <aculver@uwo.ca> wrote:
I have syslog-ng running on a central logging host. Messages received are stored first in a per-host log and then in a per-facility log. The messages that go into the per-facility logs depend on filters that I define, but EVERYTHING from a host should appear in its per-host logs.
I'm finding that many messages from some hosts are appearing in the per-service log but not in the per-host logs. Has anyone else experienced anything like this? Any solutions? TIA
Interesting problem. I notice that your per-host filters use pattern matches, but the per-service logs are matches against the log facility. Perhaps there is something about the messages or the pattern that causes some of the events not to match the host patterns? I have something similar, where I log messages to certain destinations based on the source host, and separately match on priority to send 'critical' messages to an additional destination. To accomplish this, I use a set of exact matches instead of regex patterns, so my filters look like filter f_somehost { host("host") or host("ip") }; Do you see any pattern in time or content or format for events that do not get written to the per-host logfile? Kevin Kadow