Logs sent to wrong destination
Hi, I'm using syslog-ng in a long time, but recently i noted that, in some cases, the log has sent to a wrong destination. I have many devices sending logs to my host, the problem appears when the server receive webservers logs, they are delivered to a different destination and I don't known how. here is the configuration: destination apache { file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR" owner(ll) group(ll) perm(0644) dir_perm(0755) create_dirs(yes)); }; filter f_apache { ( host("xxx.xxx.xxx.82") or host("xxx.xxx.xxx.137") ); }; log { source(aaa); filter(f_apache); destination(apache); }; The ip address xxx.xxx.xxx.137 send a duplicate log event to another directory, without any other configuration. Have you seen this?
On 17.07.2014 21:09, Renato Bezerra wrote:
Hi,
I'm using syslog-ng in a long time, but recently i noted that, in some cases, the log has sent to a wrong destination.
I have many devices sending logs to my host, the problem appears when the server receive webservers logs, they are delivered to a different destination and I don't known how.
here is the configuration:
destination apache { file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR" owner(ll) group(ll) perm(0644) dir_perm(0755) create_dirs(yes)); };
filter f_apache { ( host("xxx.xxx.xxx.82") or host("xxx.xxx.xxx.137") ); };
log { source(aaa); filter(f_apache); destination(apache); };
The ip address xxx.xxx.xxx.137 send a duplicate log event to another directory, without any other configuration.
Have you seen this?
Well, is that your *entire* configuration? I very much doubt so. You should post the entire config, not just this snippet. How are we supposed to know what this "another directory" is, and what filtering you apply in the log {} block that sends logs to it? J. -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
Hi Jakub, Thanks for the fast reply. I have others conf files, each one to a different device type that I include on main configuration (just for organization), all confs are based on "host" filter. The source is a tcp class on my main configuration, if you judge necessary I can send the others confs, but on none of then i put this ip address on filters. --- Renato Bezerra 2014-07-17 16:16 GMT-03:00 Jakub Jankowski <shasta@toxcorp.com>:
On 17.07.2014 21:09, Renato Bezerra wrote:
Hi,
I'm using syslog-ng in a long time, but recently i noted that, in some cases, the log has sent to a wrong destination.
I have many devices sending logs to my host, the problem appears when the server receive webservers logs, they are delivered to a different destination and I don't known how.
here is the configuration:
destination apache { file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR" owner(ll) group(ll) perm(0644) dir_perm(0755) create_dirs(yes)); };
filter f_apache { ( host("xxx.xxx.xxx.82") or host("xxx.xxx.xxx.137") ); };
log { source(aaa); filter(f_apache); destination(apache); };
The ip address xxx.xxx.xxx.137 send a duplicate log event to another directory, without any other configuration.
Have you seen this?
Well, is that your *entire* configuration? I very much doubt so. You should post the entire config, not just this snippet. How are we supposed to know what this "another directory" is, and what filtering you apply in the log {} block that sends logs to it?
J.
-- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Please note that by default host() uses regexps where the '.' matches any character. On Thu, Jul 17, 2014 at 9:31 PM, Renato Bezerra <renatobamorim@gmail.com> wrote:
Hi Jakub,
Thanks for the fast reply. I have others conf files, each one to a different device type that I include on main configuration (just for organization), all confs are based on "host" filter.
The source is a tcp class on my main configuration, if you judge necessary I can send the others confs, but on none of then i put this ip address on filters.
--- Renato Bezerra
2014-07-17 16:16 GMT-03:00 Jakub Jankowski <shasta@toxcorp.com>:
On 17.07.2014 21:09, Renato Bezerra wrote:
Hi,
I'm using syslog-ng in a long time, but recently i noted that, in some cases, the log has sent to a wrong destination.
I have many devices sending logs to my host, the problem appears when the server receive webservers logs, they are delivered to a different destination and I don't known how.
here is the configuration:
destination apache { file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR" owner(ll) group(ll) perm(0644) dir_perm(0755) create_dirs(yes)); };
filter f_apache { ( host("xxx.xxx.xxx.82") or host("xxx.xxx.xxx.137") ); };
log { source(aaa); filter(f_apache); destination(apache); };
The ip address xxx.xxx.xxx.137 send a duplicate log event to another directory, without any other configuration.
Have you seen this?
Well, is that your *entire* configuration? I very much doubt so. You should post the entire config, not just this snippet. How are we supposed to know what this "another directory" is, and what filtering you apply in the log {} block that sends logs to it?
J.
-- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Balazs, thanks for your help, I really thought that host() wore literal ip address. I'll try to adapt my filters to regexps pattern. --- Renato Bezerra 2014-07-18 7:05 GMT-03:00 Balazs Scheidler <bazsi77@gmail.com>:
Please note that by default host() uses regexps where the '.' matches any character.
On Thu, Jul 17, 2014 at 9:31 PM, Renato Bezerra <renatobamorim@gmail.com> wrote:
Hi Jakub,
Thanks for the fast reply. I have others conf files, each one to a different device type that I include on main configuration (just for organization), all confs are based on "host" filter.
The source is a tcp class on my main configuration, if you judge necessary I can send the others confs, but on none of then i put this ip address on filters.
--- Renato Bezerra
2014-07-17 16:16 GMT-03:00 Jakub Jankowski <shasta@toxcorp.com>:
On 17.07.2014 21:09, Renato Bezerra wrote:
Hi,
I'm using syslog-ng in a long time, but recently i noted that, in some cases, the log has sent to a wrong destination.
I have many devices sending logs to my host, the problem appears when the server receive webservers logs, they are delivered to a different destination and I don't known how.
here is the configuration:
destination apache { file("/var/log/webserver/$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR" owner(ll) group(ll) perm(0644) dir_perm(0755) create_dirs(yes)); };
filter f_apache { ( host("xxx.xxx.xxx.82") or host("xxx.xxx.xxx.137") ); };
log { source(aaa); filter(f_apache); destination(apache); };
The ip address xxx.xxx.xxx.137 send a duplicate log event to another directory, without any other configuration.
Have you seen this?
Well, is that your *entire* configuration? I very much doubt so. You should post the entire config, not just this snippet. How are we supposed to know what this "another directory" is, and what filtering you apply in the log {} block that sends logs to it?
J.
-- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Jakub Jankowski
-
Renato Bezerra