[syslog-ng]syslog duplicate entries
Hamilton Andrew
syslog-ng@lists.balabit.hu
Tue, 24 Feb 2004 12:32:39 -0500
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C3FAFC.3354DCCF
Content-Type: text/plain;
charset="iso-8859-1"
Look at your filter, f_syslog, destination d_syslog, and your log line that
includes d_syslog. Your filter f_syslog includes everything except
facilities auth, and authpriv. If you are confident that you don't need
your syslog line you can comment that out as well to keep you from getting
duplicates in you /var/log/syslog file.
Regards,
Drew
-----Original Message-----
From: Dylan (FHMS) [mailto:dhbouterse@fhmsi.com]
Sent: Tuesday, February 24, 2004 12:25 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]syslog duplicate entries
I have my syslog-ng setup so that external syslog hosts are creating their
own dir and log file (see conf file below). One problem I'm having is that
all of the hosts' logs are being written to /var/log/syslog as
well...creating a 6Gig file or larger per week. Can someone please point out
what I can change with my conf file to eliminate the duplicate entries?
Thank you!
Dylan
#############################################
### syslog-ng.conf file
#############################################
options
{
check_hostname(yes);
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
long_hostnames(on);
perm(0644);
stats(3600);
sync(0);
time_reopen (10);
use_dns(yes);
use_fqdn(no);
};
#
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
#source src { unix-dgram("/dev/log"); internal(); };
#
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
source src { unix-dgram("/dev/log"); internal(); udp(); tcp(port(514)
keep-alive(yes) max-connections(25));};
destination std {
#
file("/var/log/HOSTS/$YEAR/$HOST/$MONTH/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
file("/var/log/HOSTS/$HOST/$HOST.syslog"
owner(nagios) group(nagios) perm(0600) dir_perm(0700)
create_dirs(yes)
);
};
# After that set destinations.
# First some standard logfile
#
destination authlog { file("/var/log/auth.log" owner("root") group("adm")
perm(0640)); };
destination syslog { file("/var/log/syslog" owner("root") group("adm")
perm(0640)); };
destination cron { file("/var/log/cron.log" owner("root") group("adm")
perm(0640)); };
destination daemon { file("/var/log/daemon.log" owner("root") group("adm")
perm(0640)); };
destination kern { file("/var/log/kern.log" owner("root") group("adm")
perm(0640)); };
destination lpr { file("/var/log/lpr.log" owner("root") group("adm")
perm(0640)); };
destination mail { file("/var/log/mail.log" owner("root") group("adm")
perm(0640)); };
destination user { file("/var/log/user.log" owner("root") group("adm")
perm(0640)); };
destination uucp { file("/var/log/uucp.log" owner("root") group("adm")
perm(0640)); };
# This files are the log come from the mail subsystem.
#
destination mailinfo { file("/var/log/mail.info" owner("root") group("adm")
perm(0640)); };
destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm")
perm(0640)); };
destination mailerr { file("/var/log/mail.err" owner("root") group("adm")
perm(0640)); };
# Logging for INN news system
#
destination newscrit { file("/var/log/news/news.crit" owner("root")
group("adm")
perm(0640)); };
destination newserr { file("/var/log/news/news.err" owner("root")
group("adm")
perm(0640)); };
destination newsnotice { file("/var/log/news/news.notice" owner("root")
group("adm") perm(0640)); };
# Some `catch-all' logfiles.
#
#destination debug { file("/var/log/debug" owner("root") group("adm")
#perm(0640)); };
#destination messages { file("/var/log/messages" owner("root") group("adm")
#perm(0640)); };
# The root's console.
#
destination console { usertty("root"); };
# Virtual console.
#
destination console_all { file("/dev/tty8"); };
# The named pipe /dev/xconsole is for the nsole' utility. To use it,
# you must invoke nsole' with the -file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
#destination xconsole { pipe("/dev/xconsole"); };
destination ppp { file("/var/log/ppp.log" owner("root") group("adm")
perm(0640)); };
# Here's come the filter options. With this rules, we can set which
# message go where.
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon,
mail);
};
filter ppp { facility(local2); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice);
};
#log { source(src); filter(f_debug); destination(debug); };
#log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_cnews); destination(console_all); };
#log { source(src); filter(f_cother); destination(console_all); };
####log { source(src); filter(f_cnews); destination(xconsole); };
###log { source(src); filter(f_cother); destination(xconsole); };
log { source(src); filter(ppp); destination(ppp); };
log {
source(src);
destination(std);
};
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
------_=_NextPart_001_01C3FAFC.3354DCCF
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2655.72">
<TITLE>RE: [syslog-ng]syslog duplicate entries</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Look at your filter, f_syslog, destination d_syslog, =
and your log line that includes d_syslog. Your filter f_syslog =
includes everything except facilities auth, and authpriv. If you =
are confident that you don't need your syslog line you can comment that =
out as well to keep you from getting duplicates in you /var/log/syslog =
file.</FONT></P>
<P><FONT SIZE=3D2>Regards,</FONT>
</P>
<P><FONT SIZE=3D2>Drew</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Dylan (FHMS) [<A =
HREF=3D"mailto:dhbouterse@fhmsi.com">mailto:dhbouterse@fhmsi.com</A>]</F=
ONT>
<BR><FONT SIZE=3D2>Sent: Tuesday, February 24, 2004 12:25 PM</FONT>
<BR><FONT SIZE=3D2>To: 'syslog-ng@lists.balabit.hu'</FONT>
<BR><FONT SIZE=3D2>Subject: [syslog-ng]syslog duplicate entries</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>I have my syslog-ng setup so that external syslog =
hosts are creating their</FONT>
<BR><FONT SIZE=3D2>own dir and log file (see conf file below). One =
problem I'm having is that</FONT>
<BR><FONT SIZE=3D2>all of the hosts' logs are being written to =
/var/log/syslog as</FONT>
<BR><FONT SIZE=3D2>well...creating a 6Gig file or larger per week. Can =
someone please point out</FONT>
<BR><FONT SIZE=3D2>what I can change with my conf file to eliminate the =
duplicate entries?</FONT>
<BR><FONT SIZE=3D2>Thank you!</FONT>
</P>
<P><FONT SIZE=3D2>Dylan</FONT>
</P>
<P><FONT SIZE=3D2>#############################################</FONT>
<BR><FONT SIZE=3D2>### syslog-ng.conf file</FONT>
<BR><FONT SIZE=3D2>#############################################</FONT>
</P>
<P><FONT SIZE=3D2>options</FONT>
<BR><FONT SIZE=3D2> {</FONT>
<BR><FONT SIZE=3D2> check_hostname(yes);</FONT>
<BR><FONT SIZE=3D2> chain_hostnames(no);</FONT>
<BR><FONT SIZE=3D2> create_dirs (yes);</FONT>
<BR><FONT SIZE=3D2> dir_perm(0755);</FONT>
<BR><FONT SIZE=3D2> dns_cache(yes);</FONT>
<BR><FONT SIZE=3D2> keep_hostname(yes);</FONT>
<BR><FONT SIZE=3D2> log_fifo_size(2048);</FONT>
<BR><FONT SIZE=3D2> log_msg_size(8192);</FONT>
<BR><FONT SIZE=3D2> long_hostnames(on);</FONT>
<BR><FONT SIZE=3D2> perm(0644);</FONT>
<BR><FONT SIZE=3D2> stats(3600);</FONT>
<BR><FONT SIZE=3D2> sync(0);</FONT>
<BR><FONT SIZE=3D2> time_reopen (10);</FONT>
<BR><FONT SIZE=3D2> use_dns(yes);</FONT>
<BR><FONT SIZE=3D2> use_fqdn(no);</FONT>
<BR><FONT SIZE=3D2> };</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># This is the default behavior of sysklogd =
package</FONT>
<BR><FONT SIZE=3D2># Logs may come from unix stream, but not from =
another machine.</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>#source src { unix-dgram("/dev/log"); =
internal(); };</FONT>
</P>
<P><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># If you wish to get logs from remote machine you =
should uncomment</FONT>
<BR><FONT SIZE=3D2># this and comment the above source line.</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>source src { unix-dgram("/dev/log"); =
internal(); udp(); tcp(port(514)</FONT>
<BR><FONT SIZE=3D2>keep-alive(yes) max-connections(25));};</FONT>
</P>
<P><FONT SIZE=3D2>destination std {</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT =
SIZE=3D2>file("/var/log/HOSTS/$YEAR/$HOST/$MONTH/$FACILITY_$HOST_$Y=
EAR_$MONTH_$DAY"</FONT>
<BR><FONT SIZE=3D2> =
file("/var/log/HOSTS/$HOST/$HOST.syslog"</FONT>
</P>
<P><FONT SIZE=3D2> =
owner(nagios) group(nagios) perm(0600) dir_perm(0700)</FONT>
<BR><FONT SIZE=3D2>create_dirs(yes)</FONT>
<BR><FONT SIZE=3D2> );</FONT>
<BR><FONT SIZE=3D2>};</FONT>
</P>
<P><FONT SIZE=3D2># After that set destinations.</FONT>
</P>
<P><FONT SIZE=3D2># First some standard logfile</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>destination authlog { =
file("/var/log/auth.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination syslog { =
file("/var/log/syslog" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination cron { =
file("/var/log/cron.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination daemon { =
file("/var/log/daemon.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination kern { =
file("/var/log/kern.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination lpr { file("/var/log/lpr.log" =
owner("root") group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination mail { =
file("/var/log/mail.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination user { =
file("/var/log/user.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination uucp { =
file("/var/log/uucp.log" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
</P>
<BR>
<P><FONT SIZE=3D2># This files are the log come from the mail =
subsystem.</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>destination mailinfo { =
file("/var/log/mail.info" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination mailwarn { =
file("/var/log/mail.warn" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination mailerr { =
file("/var/log/mail.err" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
</P>
<P><FONT SIZE=3D2># Logging for INN news system</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>destination newscrit { =
file("/var/log/news/news.crit" owner("root")</FONT>
<BR><FONT SIZE=3D2>group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination newserr { =
file("/var/log/news/news.err" owner("root")</FONT>
<BR><FONT SIZE=3D2>group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>destination newsnotice { =
file("/var/log/news/news.notice" =
owner("root")</FONT>
<BR><FONT SIZE=3D2>group("adm") perm(0640)); };</FONT>
</P>
<P><FONT SIZE=3D2># Some `catch-all' logfiles.</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>#destination debug { file("/var/log/debug" =
owner("root") group("adm")</FONT>
<BR><FONT SIZE=3D2>#perm(0640)); };</FONT>
<BR><FONT SIZE=3D2>#destination messages { =
file("/var/log/messages" owner("root") =
group("adm")</FONT>
<BR><FONT SIZE=3D2>#perm(0640)); };</FONT>
</P>
<P><FONT SIZE=3D2># The root's console.</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>destination console { usertty("root"); =
};</FONT>
</P>
<P><FONT SIZE=3D2># Virtual console.</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>destination console_all { =
file("/dev/tty8"); };</FONT>
</P>
<P><FONT SIZE=3D2># The named pipe /dev/xconsole is for the nsole' =
utility. To use it,</FONT>
<BR><FONT SIZE=3D2># you must invoke nsole' with the -file' =
option:</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># $ xconsole -file /dev/xconsole =
[...]</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>#destination xconsole { =
pipe("/dev/xconsole"); };</FONT>
</P>
<P><FONT SIZE=3D2>destination ppp { file("/var/log/ppp.log" =
owner("root") group("adm")</FONT>
<BR><FONT SIZE=3D2>perm(0640)); };</FONT>
</P>
<P><FONT SIZE=3D2># Here's come the filter options. With this rules, we =
can set which</FONT>
<BR><FONT SIZE=3D2># message go where.</FONT>
</P>
<P><FONT SIZE=3D2>filter f_authpriv { facility(auth, authpriv); =
};</FONT>
<BR><FONT SIZE=3D2>filter f_syslog { not facility(auth, authpriv); =
};</FONT>
<BR><FONT SIZE=3D2>filter f_cron { facility(cron); };</FONT>
<BR><FONT SIZE=3D2>filter f_daemon { facility(daemon); };</FONT>
<BR><FONT SIZE=3D2>filter f_kern { facility(kern); };</FONT>
<BR><FONT SIZE=3D2>filter f_lpr { facility(lpr); };</FONT>
<BR><FONT SIZE=3D2>filter f_mail { facility(mail); };</FONT>
<BR><FONT SIZE=3D2>filter f_user { facility(user); };</FONT>
<BR><FONT SIZE=3D2>filter f_uucp { facility(uucp); };</FONT>
</P>
<P><FONT SIZE=3D2>filter f_news { facility(news); };</FONT>
</P>
<P><FONT SIZE=3D2>filter f_debug { not facility(auth, authpriv, news, =
mail); };</FONT>
<BR><FONT SIZE=3D2>filter f_messages { level(info .. warn)</FONT>
<BR><FONT SIZE=3D2> and not =
facility(auth, authpriv, cron, daemon, mail, news); };</FONT>
<BR><FONT SIZE=3D2>filter f_emergency { level(emerg); };</FONT>
</P>
<P><FONT SIZE=3D2>filter f_info { level(info); };</FONT>
<BR><FONT SIZE=3D2>filter f_notice { level(notice); };</FONT>
<BR><FONT SIZE=3D2>filter f_warn { level(warn); };</FONT>
<BR><FONT SIZE=3D2>filter f_crit { level(crit); };</FONT>
<BR><FONT SIZE=3D2>filter f_err { level(err); };</FONT>
</P>
<P><FONT SIZE=3D2>filter f_cnews { level(notice, err, crit) and =
facility(news); };</FONT>
<BR><FONT SIZE=3D2>filter f_cother { level(debug, info, notice, warn) =
or facility(daemon,</FONT>
<BR><FONT SIZE=3D2>mail);</FONT>
<BR><FONT SIZE=3D2>};</FONT>
</P>
<P><FONT SIZE=3D2>filter ppp { facility(local2); };</FONT>
</P>
<P><FONT SIZE=3D2>log { source(src); filter(f_authpriv); =
destination(authlog); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_syslog); =
destination(syslog); };</FONT>
<BR><FONT SIZE=3D2>#log { source(src); filter(f_cron); =
destination(cron); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_daemon); =
destination(daemon); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_kern); =
destination(kern); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_lpr); destination(lpr); =
};</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_mail); =
destination(mail); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_user); =
destination(user); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_uucp); =
destination(uucp); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_mail); filter(f_info); =
destination(mailinfo); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_mail); filter(f_warn); =
destination(mailwarn); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_mail); filter(f_err); =
destination(mailerr); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_news); filter(f_crit); =
destination(newscrit); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_news); filter(f_err); =
destination(newserr); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_news); =
filter(f_notice);</FONT>
<BR><FONT SIZE=3D2>destination(newsnotice);</FONT>
<BR><FONT SIZE=3D2>};</FONT>
<BR><FONT SIZE=3D2>#log { source(src); filter(f_debug); =
destination(debug); };</FONT>
<BR><FONT SIZE=3D2>#log { source(src); filter(f_messages); =
destination(messages); };</FONT>
<BR><FONT SIZE=3D2>log { source(src); filter(f_emergency); =
destination(console); };</FONT>
</P>
<P><FONT SIZE=3D2>#log { source(src); filter(f_cnews); =
destination(console_all); };</FONT>
<BR><FONT SIZE=3D2>#log { source(src); filter(f_cother); =
destination(console_all); };</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>####log { source(src); filter(f_cnews); =
destination(xconsole); };</FONT>
<BR><FONT SIZE=3D2>###log { source(src); filter(f_cother); =
destination(xconsole); };</FONT>
</P>
<P><FONT SIZE=3D2>log { source(src); filter(ppp); destination(ppp); =
};</FONT>
</P>
<P><FONT SIZE=3D2>log {</FONT>
<BR><FONT SIZE=3D2> =
source(src);</FONT>
<BR><FONT SIZE=3D2> =
destination(std);</FONT>
<BR><FONT SIZE=3D2>};</FONT>
</P>
<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>syslog-ng maillist - =
syslog-ng@lists.balabit.hu</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"https://lists.balabit.hu/mailman/listinfo/syslog-ng" =
TARGET=3D"_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A=
></FONT>
<BR><FONT SIZE=3D2>Frequently asked questions at <A =
HREF=3D"http://www.campin.net/syslog-ng/faq.html" =
TARGET=3D"_blank">http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C3FAFC.3354DCCF--