Balazs Scheidler wrote:
On Fri, 2010-10-22 at 12:35 +0200, Elgin Lorenz wrote:
Balazs Scheidler wrote:
On Thu, 2010-10-21 at 13:51 +0200, Elgin Lorenz wrote:
Matthew Hall wrote:
On Wed, Oct 20, 2010 at 01:40:44PM +0200, Elgin Lorenz wrote:
Thank you for your reply.
I'm sorry I forgot to mention its syslog-ng-3.0.4.
I tried the option you suggestet. It changed the "last message repeated" log entry, this one is correct now. The "kernel: kernel: " entry is still wrong.
The source driver looks like this:
source s_udp { udp (ip(xxx.xxx.xxx.xxx) port(xxx) flags(store-legacy-msghdr)); };
Any other ideas? Could it be you need the same flag set on your other source for the kernel?
Thank you for your reply.
I'm afraid I don't know exactly what you mean.
There is only one source driver for remote sources, it is the above mentioned.
The only other source driver is the sun-streams driver for Solaris messages:
source s_sys { sun-streams ("/dev/log" door("/etc/.syslog_door")); internal(); };
It seems to work correctly for all messages. Anyway I tried the flag option with this driver, but is doesn't seem to accept it, I always get a syntax error. The question is where those "kernel" messages are coming from? Are those locally generated or are they coming on the udp source?
They are coming from remote machines on the udp source. Locally generated messages appear correctly.
But then, those machines probably generate these messages this way in the first place. Are they using the same configuration?
The remote machines are configured to store the logs both on their own system and on the syslog-ng server. The log entries locally stored on the remote machines are correct. The same log entries delivered to the syslog-ng server contain the additional entries. Kind regards, Elgin Lorenz -- Elgin Lorenz BTU Cottbus Universitaetsrechenzentrum Tel. 0355 693573 E-Mail lorenz@tu-cottbus.de