[syslog-ng]problem with multiply-defined source/filter/destin ation combinations?

Balazs Scheidler bazsi@balabit.hu
Mon, 13 Jan 2003 15:04:57 +0100


On Mon, Jan 13, 2003 at 08:44:12AM -0500, Hamilton, Andrew wrote:
> Well.  That was a hefty message.  Anyway, syslog-ng will typically log
> messages only once unless you tell it otherwise.  This is the default
> behavior.  You may think that by adding another log line that sends the same
> message to a different destination you are telling it to do just that.  That
> is incorrect.  Once a message is logged it is then forgotten in a sense.
> The way to do this is to use multiple destinations on the same line.  (i.e.,
> log { source(src); filter(filter1); destination(d1); destination(d2); }; ).
> This works well for me, I have been doing it for nearly 4 years.  Syslog-ng
> will do exactly what you want to do you just have to tweak it a little.  I
> have never done this before but in theory, and I guess someone else from the
> list can correct me if I'm wrong, you could write a log line from multiple
> sources as well. (i.e., log { source(s1); source(s2); filter(f1);
> destination(d1); destination(d2); }; ) etc...  I think you can probably get
> the picture.  That might help you clean up your config file a little. I hope
> this helps.

You are incorrect at your first point. syslog-ng sends messages to using all
matching log statements, thus:

log { source(src); destination(dst); };
log { source(src); destination(dst); };

results in each message delivered twice.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1