log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); }; ... does anyone know why I am logging my data to two locations instead of just one?
Incoming messages are sent along *all* log paths that match. Every message that arrives from S_udp will be sent to D_udp and also to D_db_mysql. Some of those messages will also be sent along some of the more specific paths. If you don't want this to happen you can use the "final" keyword on the more specific paths.
I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Here's the reason:
destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); }; log { source(S_udp); destination(D_udp);};
udp messages from linksys-1000 will be sent along both of these paths because they match both. Joe. ________________________________ From: wiskbroom@hotmail.com To: syslog-ng@lists.balabit.hu Date: Fri, 18 Jan 2008 08:48:39 -0500 Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter??? Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one? By the way, any good references to writing a good .conf file for this would be greatly appreciated. Thanks again. .vp
Date: Thu, 17 Jan 2008 14:26:43 -0800 From: erempel@uvic.ca To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom@hotmail.com wrote:
Hello;
I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
For instance, I have a host named linksys-1000, logs for this host get sent into:
/var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
as well as
/var/log/ABCcorp/linksys-1000/linksys-1000.log
Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
Thanks all,
.vp
Here is a sample of my config file:
########### # Destinations # ##########
destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log" perm(0644)); }; destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); }; destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); }; destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log" perm(0644)); }; destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); }; destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
####### # Filters # #######
destination D_db_discard { file("/var/log/discard.log"); };
destination D_db_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
filter F_edge { host("edge*") or host("192.116.*"); }; filter F_router { host("gw*") or host("rtr") or host("router"); }; filter F_switch { host("sw*") or host("sw1") or host("sw2"); }; filter F_firewall { host("^fw*"); }; filter F_accesspoints { host("^linksys*"); }; filter F_InternetIP { host("192.116.19.*"); };
####### # Logs # #######
log { source(S_udp); filter(F_switch); destination(D_switch); }; log { source(S_udp); filter(F_router); destination(D_router); }; log { source(S_udp); filter(F_edge); destination(D_edge); }; log { source(S_udp); filter(F_firewall); destination(D_firewall); }; log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
log { source(S_udp); destination(D_udp);}; log { source(S_udp); destination(D_db_mysql); };
------------------------------------------------------------------------
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/en-ie