[syslog-ng]syslog duplicate entries
Dylan (FHMS)
syslog-ng@lists.balabit.hu
Tue, 24 Feb 2004 12:25:08 -0500
I have my syslog-ng setup so that external syslog hosts are creating their
own dir and log file (see conf file below). One problem I'm having is that
all of the hosts' logs are being written to /var/log/syslog as
well...creating a 6Gig file or larger per week. Can someone please point out
what I can change with my conf file to eliminate the duplicate entries?
Thank you!
Dylan
#############################################
### syslog-ng.conf file
#############################################
options
{
check_hostname(yes);
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
long_hostnames(on);
perm(0644);
stats(3600);
sync(0);
time_reopen (10);
use_dns(yes);
use_fqdn(no);
};
#
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
#source src { unix-dgram("/dev/log"); internal(); };
#
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
source src { unix-dgram("/dev/log"); internal(); udp(); tcp(port(514)
keep-alive(yes) max-connections(25));};
destination std {
#
file("/var/log/HOSTS/$YEAR/$HOST/$MONTH/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
file("/var/log/HOSTS/$HOST/$HOST.syslog"
owner(nagios) group(nagios) perm(0600) dir_perm(0700)
create_dirs(yes)
);
};
# After that set destinations.
# First some standard logfile
#
destination authlog { file("/var/log/auth.log" owner("root") group("adm")
perm(0640)); };
destination syslog { file("/var/log/syslog" owner("root") group("adm")
perm(0640)); };
destination cron { file("/var/log/cron.log" owner("root") group("adm")
perm(0640)); };
destination daemon { file("/var/log/daemon.log" owner("root") group("adm")
perm(0640)); };
destination kern { file("/var/log/kern.log" owner("root") group("adm")
perm(0640)); };
destination lpr { file("/var/log/lpr.log" owner("root") group("adm")
perm(0640)); };
destination mail { file("/var/log/mail.log" owner("root") group("adm")
perm(0640)); };
destination user { file("/var/log/user.log" owner("root") group("adm")
perm(0640)); };
destination uucp { file("/var/log/uucp.log" owner("root") group("adm")
perm(0640)); };
# This files are the log come from the mail subsystem.
#
destination mailinfo { file("/var/log/mail.info" owner("root") group("adm")
perm(0640)); };
destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm")
perm(0640)); };
destination mailerr { file("/var/log/mail.err" owner("root") group("adm")
perm(0640)); };
# Logging for INN news system
#
destination newscrit { file("/var/log/news/news.crit" owner("root")
group("adm")
perm(0640)); };
destination newserr { file("/var/log/news/news.err" owner("root")
group("adm")
perm(0640)); };
destination newsnotice { file("/var/log/news/news.notice" owner("root")
group("adm") perm(0640)); };
# Some `catch-all' logfiles.
#
#destination debug { file("/var/log/debug" owner("root") group("adm")
#perm(0640)); };
#destination messages { file("/var/log/messages" owner("root") group("adm")
#perm(0640)); };
# The root's console.
#
destination console { usertty("root"); };
# Virtual console.
#
destination console_all { file("/dev/tty8"); };
# The named pipe /dev/xconsole is for the nsole' utility. To use it,
# you must invoke nsole' with the -file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
#destination xconsole { pipe("/dev/xconsole"); };
destination ppp { file("/var/log/ppp.log" owner("root") group("adm")
perm(0640)); };
# Here's come the filter options. With this rules, we can set which
# message go where.
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon,
mail);
};
filter ppp { facility(local2); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice);
};
#log { source(src); filter(f_debug); destination(debug); };
#log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_cnews); destination(console_all); };
#log { source(src); filter(f_cother); destination(console_all); };
####log { source(src); filter(f_cnews); destination(xconsole); };
###log { source(src); filter(f_cother); destination(xconsole); };
log { source(src); filter(ppp); destination(ppp); };
log {
source(src);
destination(std);
};