Syslog-ng writes log entries to 2 different logs
I am using syslog-ng 3.1.2 and I am having a problem that I can not figure out. Our network gear sends messages to syslog-ng, and then it filters them based on device type, and name. There is one firewall, that is matching both the firewalls filter and the switches filter, and is subsequently writing to both locations. in the example below, host 1.2.3.5 is logging to both the switches log dir and the firewalls log dir even though it is only referenced in the firewalls filter. Other then the obvious possibilities, (Yes, I have confirmed that the ip address is only referenced in one filter) does anyone have any ideas on what I should look at? Thanks, Burton our filters look like this (each host filter has several addresses in it): filter f_firewalls { host(1.2.3.4) or host(1.2.3.5); }; filter f_switches {host(9.8.7.6) or host(9.8.7.5); }; destination d_firewalls {file( "/path/to/logs/fw/$YEAR/MONTH/$HOST-$YEAR$MONTH$DAY" create_dirs(yes) owner(log_owner) group(log_group) dir_perm(0775) perm(0664) ); }; destination d_switches {file( "/path/to/logs/sw/$YEAR/MONTH/$HOST-$YEAR$MONTH$DAY" create_dirs(yes) owner(log_owner) group(log_group) dir_perm(0775) perm(0664) ); }; log { source(s_network); filter(f_firewalls); destination(d_firewalls); }; log { source(s_network); filter(f_switches); destination(d_switches); }; Version info: syslog-ng 3.1.2 Installer-Version: 3.1.2 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca Compile-Date: Aug 3 2010 11:16:08 Enable-Threads: on Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-Sun-STREAMS: off Enable-Sun-Door: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: off Enable-SSL: on Enable-SQL: on Enable-Linux-Caps: on Enable-Pcre: on
On Mon, Sep 20, 2010 at 12:58:47PM -0400, Burton Simonds wrote:
in the example below, host 1.2.3.5 is logging to both the switches log dir and the firewalls log dir even though it is only referenced in the firewalls filter.
Other then the obvious possibilities, (Yes, I have confirmed that the ip address is only referenced in one filter) does anyone have any ideas on what I should look at?
It might be worth trying the appropriate combinations of -d and -v to get some debug tracing data on the way the logs are being processed. Hopefully somebody who has used the host filter could help in more detail. I have not needed that one yet because there are way too many hosts on my network for it to help me. Matthew.
On 09/20/2010 07:17:46 PM, Matthew Hall wrote:
On Mon, Sep 20, 2010 at 12:58:47PM -0400, Burton Simonds wrote:
in the example below, host 1.2.3.5 is logging to both the switches log dir and the firewalls log dir even though it is only referenced in the firewalls filter.
Other then the obvious possibilities, (Yes, I have confirmed that the ip address is only referenced in one filter) does anyone have any ideas on what I should look at?
It might be worth trying the appropriate combinations of -d and -v to get some debug tracing data on the way the logs are being processed.
Hopefully somebody who has used the host filter could help in more detail. I have not needed that one yet because there are way too many hosts on my network for it to help me.
Matthew.
Hi Burton, until you find the real reason for the dupplicate messages, you can try to use the flags(final) option in the first log statement. Maybe it helps. Regards, Robert
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Mon, 2010-09-20 at 12:58 -0400, Burton Simonds wrote:
I am using syslog-ng 3.1.2 and I am having a problem that I can not figure out.
Our network gear sends messages to syslog-ng, and then it filters them based on device type, and name.
There is one firewall, that is matching both the firewalls filter and the switches filter, and is subsequently writing to both locations.
in the example below, host 1.2.3.5 is logging to both the switches log dir and the firewalls log dir even though it is only referenced in the firewalls filter.
Other then the obvious possibilities, (Yes, I have confirmed that the ip address is only referenced in one filter) does anyone have any ideas on what I should look at?
host() takes a regular expression. Are you sure '.' (which matches any character) is not biting you here? -- Bazsi
Hi, I have resolved this issue. And yes it was a reg ex issue. I had not read the host() doc closely enough since I inherited the syslog system intact, and at the time working, we just kept adding adding hosts. It wasn't a . that got me (although it easily could have), it was that the switches filter was matching say, 10.10.10.1 and the firewall was matching 10.10.10.10 . . . So when a message was coming in from 10.10.10.10, it was being matched by both filters. I tested 2 possible resolutions for it, both seemed to work. The first was just putting a $ at the end and escaping the . Second, I used host("10.10.10.10",type(string)) Thanks for the feedback! Burton On Mon, Sep 27, 2010 at 8:57 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2010-09-20 at 12:58 -0400, Burton Simonds wrote:
I am using syslog-ng 3.1.2 and I am having a problem that I can not figure out.
Our network gear sends messages to syslog-ng, and then it filters them based on device type, and name.
There is one firewall, that is matching both the firewalls filter and the switches filter, and is subsequently writing to both locations.
in the example below, host 1.2.3.5 is logging to both the switches log dir and the firewalls log dir even though it is only referenced in the firewalls filter.
Other then the obvious possibilities, (Yes, I have confirmed that the ip address is only referenced in one filter) does anyone have any ideas on what I should look at?
host() takes a regular expression. Are you sure '.' (which matches any character) is not biting you here?
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (4)
-
Balazs Scheidler
-
Burton Simonds
-
Matthew Hall
-
Robert Fekete