Here's my complete syslog-ng.conf file. It only has a single reference to each destination. ---syslog-ng.conf--- # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # 20000925 gb@sysfive.com # # Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 10 Aug 2002 # - for Red Hat 7.3 # - totally do away with klogd # - add message "kernel:" as is done with klogd. # # Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 22 Aug 2002 # - use the log_prefix option as per Balazs Scheidler's email # options { time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); perm(0644); chain_hostnames(yes); keep_hostname (no); use_time_recvd(yes); time_reap(1); }; source remote { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); }; source local { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; # SDW Inbox destinations start here destination d_alcatel { file("/var/nsm/inbox/switch/alcatel/7450/syslog/alcatel-$MONTH$DAY$HOUR$MIN"); }; destination d_arbor { file("/var/nsm/inbox/nids/arbor_networks/peakflow_dos/2.5/syslog/arbor-$MONTH$DAY$HOUR$MIN"); }; destination d_nortel { file("/var/nsm/inbox/switch/nortel/passport_8600/syslog/nortel-$MONTH$DAY$HOUR$MIN"); }; destination d_juniper { file("/var/nsm/inbox/oslog/juniper/junos/6.4/syslog/juniper-$MONTH$DAY$HOUR$MIN"); }; destination d_pix { file("/var/nsm/inbox/fw/cisco/pix/6.0/syslog/pix-$MONTH$DAY$HOUR$MIN"); }; destination d_ios { file("/var/nsm/inbox/router/cisco/ios/12.0/syslog/ios-$MONTH$DAY$HOUR$MIN"); }; destination d_snort { file("/var/nsm/inbox/nids/snort.org/snort/1.9/syslog/snort-$MONTH$DAY$HOUR$MIN"); }; destination d_netscreen { file("/var/nsm/inbox/fw/netscreen/netscreen/syslog/netscreen-$MONTH$DAY$HOUR$MIN"); }; destination d_neoteris { file("/var/nsm/inbox/fw/netscreen/neoteris/3.2/syslog/neoteris-$MONTH$DAY$HOUR$MIN"); }; destination d_solaris { file("/var/nsm/inbox/oslog/sun/solaris/7/syslog/solaris-$MONTH$DAY$HOUR$MIN"); }; destination d_gnu { file("/var/nsm/inbox/oslog/gnu/tools/syslog/gnu-$MONTH$DAY$HOUR$MIN"); }; destination d_tripwire { file("/var/nsm/inbox/hids/tripwire/tripwire_for_servers/3/syslog/tripwire-$MONTH$DAY$HOUR$MIN"); }; destination d_sidewinder { file("/var/nsm/inbox/fw/secure_computing/sidewinder/g2/syslog/sidewinder-$MONTH$DAY$HOUR$MIN"); }; destination d_dragon { file("/var/nsm/inbox/nids/enterasys/dragon/6.0/syslog/dragon-$MONTH$DAY$HOUR$MIN"); }; destination d_catchall { tcp("154.11.193.8" port(514)); }; destination d_dump { file("/var/tmp/dump-$MONTH$DAY$HOUR"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; # Filters for NSM supported products start here filter f_pix { match(PIX); }; filter f_tripwire { match(tripwire); }; filter f_snort { program(snort); }; filter f_netscreen { match(NetScreen); }; filter f_neoteris { match(Neoteris); }; filter f_arbor { match(Neoteris); }; filter f_alcatel { match(TMNX) and (match(login) or match(logout)); }; filter f_juniper { match("LOGIN_") or match("ASP_") or match("UI_") ; }; filter f_nortel { match("\\[[[:digit:]]{2}/[[:digit:]]{2}/[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}\\]"); }; #filter f_nortel_test { match("\\[[[:digit:]]{2}/[[:digit:]]{2}/[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}\\]"); }; # IOS filter is IP address/hostname based, customize for your network filter f_ios { match(%) and not match(PIX); }; # Solaris filter is IP address/hostname based, customize for your network #filter f_solaris { host("192\.168\.101\.2"); }; # GNU filter is IP address/hostname based, customize for your network #filter f_gnu { host("192\.168\.101\.3"); }; # Sidewinder filter is IP address/hostname based, customize for your network #filter f_sidewinder { host("192\.168\.101\.4"); }; # Dragon filter is IP address/hostname based, customize for your network #filter f_dragon { host("192\.168\.101\.5"); }; #filter f_only_printable_chars { match("^[[\s!-~]]*$"); }; filter f_only_printable_chars { match(^[[:print:]]*$); }; filter f_troubleshoot { host("207\.229\.63\.39"); }; filter f_test { match(TEST); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(local); filter(f_filter2); destination(d_mesg); }; log { source(local); filter(f_filter3); destination(d_auth); }; log { source(local); filter(f_filter4); destination(d_mail); }; log { source(local); filter(f_filter5); destination(d_mlal); }; log { source(local); filter(f_filter6); destination(d_spol); }; log { source(local); filter(f_filter7); destination(d_boot); }; log { source(local); filter(f_filter8); destination(d_cron); }; # Log NSM supported devices to the correct inbox log { source(remote); filter(f_only_printable_chars); filter(f_pix); destination(d_pix); }; log { source(remote); filter(f_only_printable_chars); filter(f_ios); destination(d_ios); }; log { source(remote); filter(f_only_printable_chars); filter(f_snort); destination(d_snort); }; log { source(remote); filter(f_only_printable_chars); filter(f_netscreen); destination(d_netscreen); }; log { source(remote); filter(f_only_printable_chars); filter(f_neoteris); destination(d_neoteris); }; log { source(remote); filter(f_only_printable_chars); filter(f_tripwire); destination(d_tripwire); }; log { source(remote); filter(f_only_printable_chars); filter(f_arbor); destination(d_arbor); }; #log { source(remote); filter(f_arbor); destination(d_arbor); }; log { source(remote); filter(f_only_printable_chars); filter(f_juniper); destination(d_juniper); }; #log { source(remote); filter(f_juniper); destination(d_juniper); }; log { source(remote); filter(f_only_printable_chars); filter(f_alcatel); destination(d_alcatel); }; log { source(remote); filter(f_only_printable_chars); filter(f_nortel); destination(d_nortel); }; log { source(remote); filter(f_only_printable_chars); destination(d_catchall); }; #log { source(remote); destination(d_dump); }; #log { source(remote); filter(f_sidewinder); destination(d_sidewinder); }; #log { source(remote); filter(f_only_printable_chars); filter(f_dragon); destination(d_dragon); }; #log { source(remote); destination(d_catchall); }; #log { source(remote); filter(f_solaris); destination(d_solaris); }; #log { source(remote); filter(f_gnu); destination(d_gnu); }; # Use the following line for testing only and clean up /var/tmp/dump when done #log { source(remote); destination(d_dump); }; #log { source(remote); filter(f_troubleshoot); destination(d_dump); }; #log { source(remote); filter(f_only_printable_chars); destination(d_dump); }; #log { source (local); filter(f_only_printable_chars); filter(f_nortel_test); destination(d_dump); }; #log { source(local); filter(f_test); destination(d_dump); }; ---end syslog-ng.conf--- -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Thursday, June 30, 2005 3:16 AM To: Syslog-ng users' and developers' mailing list Subject: RE: [syslog-ng] Error parsing conf file? On Thu, 2005-06-30 at 11:07 +0200, Balazs Scheidler wrote:
On Tue, 2005-06-28 at 09:46 -0600, Zb Indelak wrote:
*** Problems start here *** syslog-ng 1651 root 82w REG 8,8 489 5216302 /var/nsm/inbox/router/cisco/ios/12.0/syslog/ios-06280843 syslog-ng 1651 root 83w REG 8,8 489 5216302 /var/nsm/inbox/router/cisco/ios/12.0/syslog/ios-06280843 [root@simda02 NSM]# ps -ef|grep syslog root 1651 1 0 15:36 ? 00:00:01 ./syslog-ng -f /etc/syslog-ng/syslog-ng.conf root 1682 1508 0 15:39 pts/2 00:00:00 grep syslog [root@simda02 NSM]# kill -9 1651 [root@simda02 NSM]# echo;date;lsof +d /var/nsm/inbox/router/cisco/ios/12.0/syslog
This seems to be an unrelated issue that it opens the same file multiple times. This is no good. I'll look into this as well.
I don't really see how syslog-ng could open the same file twice, unless you had multiple file() destinations which refers to the same file. Is it the case? (judging your posted configuration, it is not, but maybe you did not copy-paste your complete config. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html