Paolo Supino wrote:
Hi
I've installed syslog-ng 1.6.8 on a Linux FC4 system to act as a centeralized logging server. For a while everything was fine, until I tried to add another statement to one of the filters. After the addition syslog-ng started writing the destination files in the wrong places, writing the same file in 2 locations and ignoring messages sent from certain origins.
Which filter is causing your problems?
# destinations destination d_switch { file("/var/log/company/switches/$HOST.log" perm(0644)); }; destination d_edge { file("/var/log/company/edge_devices/$HOST.log" perm(0644)); }; destination d_fw { file("/var/log/company/firewalls/$HOST.log" perm(0644)); }; destination d_router { file("/var/log/company/routers/$HOST.log" perm(0644)); };
Use the $FULLHOST macro, not just $HOST
# filters filter f_edge { host("edge*") or host("10.10.*"); }; filter f_router { host("3600-primary") or host("backbone-3550") or host("secondary-3550"); }; filter f_switch { host("sw*") or host("backbone-5510") or host(pp8600*); }; filter f_fw { host("fw*"); };
You should check your hostnames, whether they contain your filter patterns. I suggest using "^edge.*"-style regexp, this is more precise than "edge*". I suspect your fully qualified hostnames contain somewhere the "fw" or the "sw" strings.
# wrap everything up log { source(s_net); filter(f_switch); destination(d_switch); }; log { source(s_net); filter(f_router); destination(d_router); }; log { source(s_net); filter(f_edge); destination(d_edge); }; log { source(s_net); filter(f_fw); destination(d_fw); };
Consider using the "final" flag in your log sections, this can improve the performance of syslog-ng, but be aware that if sou use final, then the order of your log sections does matter! -- Sandor Geller wildy@balabit.hu