On Tue, 2010-02-23 at 14:57 -0800, Lance Laursen wrote:
You are defining many log statements for the same source and destination pair. This is unnecessary and likely causing problems. Since you have one source (src) that you want to apply many filters to prior to writing out to (message), you should be consolidating all of your source(src) destination(messages) into one log command:
log { source(src); filter(not_ntpd); filter(f_notice); filter(f_not_authpriv); filter(f_kern); filter(f_debug); filter(f_lpr); filter(f_info); filter(f_mail); filter(f_crit); destination(messages); };
If you want to log to files like /var/log/mail and /var/log/kern.log AS WELL as /var/log/messages, you can use that statement as-is. If you just want everything from source(src) to log to /var/log/messages, put a flags(final); at the end of your log statement, or just simplify and consolidate your log statement to: log { source(src); filter(not_ntpd); filter(f_not_authpriv); destination(messages); };
Remember the placement of your log statement containing flags(final); above or below your other log statements matters. If syslog-ng matches something and then sees a flags(final);, it will no longer write that log entry out to any other file afterwards.
It might also be useful to know that syslog-ng starting with 3.0 supports embedded log statements, e.g. you can do things like: log { source(src); filter(f_filter1); log { filter(f_filter2); destination(d_dst1); }; log { filter(f_filter3); destination(d_dst2); }; }; e.g. d_dst1 would receive filter1 && filter2 d_dst2 would receive filter1 && filter3 this will reduce the number of "final" flags needed for a given configuration, and also reduce the number of operations needed to process a message. -- Bazsi