Hello,
All,
I'm fairly new to syslog-ng (been using syslogd for many years) and I have a question with the config file syntax.
What I'm trying to do is log all remote hosts to /var/log/$HOST.log while keeping the logging host's logs seperate. What I'm seeing is all messages are being written to /var/log/$HOST.log, including the logging system, as well as to /var/log/messages. In a single day, /var/log/messages grows to over 11GB (I'm logging less than 100 devices - Windows servers, routers, and switches.)
I haven't quite figured out which part of the config file is causing this to happen, since I'm still going through my growing pains with it. Can someone point me in the right direction with this?
[ cutting the details ] You're referring to the same source (src) everywhere in your config, so I would like to suggest to remove udp() from this source and move it to a separate one. Then you can use this source for the remote hosts. Something like this: source s_remote { udp(); }; Later in your conffile referring to this source you can differentiate between the local and the remote logs. regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.