Ok, thanks. That did the trick. Jerry -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 13, 2010 4:20 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format It's the log {} statement that matters for order, and you need a flags(final) in the statement. On Wednesday, October 13, 2010, Jerry Riedel <riedel@codylabs.com> wrote:
Ok, the $SOURCEIP macro solved that problem, but even though I moved that section to the top of the list, the remote host messages are still being duplicated in the /var/log/messages file.
I've attached the revised conf - what am I missing or doing wrong?
Jerry
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Martin Holste Sent: Wednesday, October 13, 2010 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Windows event logs vs syslog format
It looks to me like logs from other hosts should be logged both to /var/log/messages as well as the individual $HOST folder. If you only want them to go to the $HOSTS folders, then you should put that entry first and put flags(final) on the log {} statement. Check the docs for details on doing that.
I agree with Matthew--I always use $SOURCEIP as my log host macro because it can be trusted to be well-formed. I spoof forwarded packets to preserve that macro if I'm chaining log hosts.
On Wed, Oct 13, 2010 at 11:31 AM, Jerry Riedel <riedel@codylabs.com> wrote:
Here is my config:
# # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. #
# # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); keep_hostname(yes); };
# # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal();
# # the default log socket for local logging: # unix-dgram("/dev/log");
# # uncomment to process log messages from network: # udp(ip("0.0.0.0") port(514)); tcp(ip("192.168.0.228") port(5140) keep-alive(yes)); };
# # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); }; fil__________________________________________________________________ __________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
____________________________________________________________________________ __ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html