[syslog-ng]syslog duplicate entries
Dylan Bouterse
syslog-ng@lists.balabit.hu
Tue, 24 Feb 2004 14:02:48 -0500
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C3FB08.CB0246A0
Content-Type: text/plain;
charset="iso-8859-1"
Should I be able to remove all of the destination lines following std and
still get the localhost's log information to it's host directory based on
the "destination std" line?
Dylan
-----Original Message-----
From: Hamilton Andrew [mailto:Andrew.Hamilton@afccc.af.mil]
Sent: Tuesday, February 24, 2004 12:33 PM
To: syslog-ng@lists.balabit.hu
Subject: RE: [syslog-ng]syslog duplicate entries
Look at your filter, f_syslog, destination d_syslog, and your log line that
includes d_syslog. Your filter f_syslog includes everything except
facilities auth, and authpriv. If you are confident that you don't need
your syslog line you can comment that out as well to keep you from getting
duplicates in you /var/log/syslog file.
Regards,
Drew
-----Original Message-----
From: Dylan (FHMS) [ mailto:dhbouterse@fhmsi.com
<mailto:dhbouterse@fhmsi.com> ]
Sent: Tuesday, February 24, 2004 12:25 PM
To: 'syslog-ng@lists.balabit.hu'
Subject: [syslog-ng]syslog duplicate entries
I have my syslog-ng setup so that external syslog hosts are creating their
own dir and log file (see conf file below). One problem I'm having is that
all of the hosts' logs are being written to /var/log/syslog as
well...creating a 6Gig file or larger per week. Can someone please point out
what I can change with my conf file to eliminate the duplicate entries?
Thank you!
Dylan
#############################################
### syslog-ng.conf file
#############################################
options
{
check_hostname(yes);
chain_hostnames(no);
create_dirs (yes);
dir_perm(0755);
dns_cache(yes);
keep_hostname(yes);
log_fifo_size(2048);
log_msg_size(8192);
long_hostnames(on);
perm(0644);
stats(3600);
sync(0);
time_reopen (10);
use_dns(yes);
use_fqdn(no);
};
#
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
#source src { unix-dgram("/dev/log"); internal(); };
#
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
source src { unix-dgram("/dev/log"); internal(); udp(); tcp(port(514)
keep-alive(yes) max-connections(25));};
destination std {
#
file("/var/log/HOSTS/$YEAR/$HOST/$MONTH/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
file("/var/log/HOSTS/$HOST/$HOST.syslog"
owner(nagios) group(nagios) perm(0600) dir_perm(0700)
create_dirs(yes)
);
};
# After that set destinations.
# First some standard logfile
#
destination authlog { file("/var/log/auth.log" owner("root") group("adm")
perm(0640)); };
destination syslog { file("/var/log/syslog" owner("root") group("adm")
perm(0640)); };
destination cron { file("/var/log/cron.log" owner("root") group("adm")
perm(0640)); };
destination daemon { file("/var/log/daemon.log" owner("root") group("adm")
perm(0640)); };
destination kern { file("/var/log/kern.log" owner("root") group("adm")
perm(0640)); };
destination lpr { file("/var/log/lpr.log" owner("root") group("adm")
perm(0640)); };
destination mail { file("/var/log/mail.log" owner("root") group("adm")
perm(0640)); };
destination user { file("/var/log/user.log" owner("root") group("adm")
perm(0640)); };
destination uucp { file("/var/log/uucp.log" owner("root") group("adm")
perm(0640)); };
# This files are the log come from the mail subsystem.
#
destination mailinfo { file("/var/log/mail.info" owner("root") group("adm")
perm(0640)); };
destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm")
perm(0640)); };
destination mailerr { file("/var/log/mail.err" owner("root") group("adm")
perm(0640)); };
# Logging for INN news system
#
destination newscrit { file("/var/log/news/news.crit" owner("root")
group("adm")
perm(0640)); };
destination newserr { file("/var/log/news/news.err" owner("root")
group("adm")
perm(0640)); };
destination newsnotice { file("/var/log/news/news.notice" owner("root")
group("adm") perm(0640)); };
# Some `catch-all' logfiles.
#
#destination debug { file("/var/log/debug" owner("root") group("adm")
#perm(0640)); };
#destination messages { file("/var/log/messages" owner("root") group("adm")
#perm(0640)); };
# The root's console.
#
destination console { usertty("root"); };
# Virtual console.
#
destination console_all { file("/dev/tty8"); };
# The named pipe /dev/xconsole is for the nsole' utility. To use it,
# you must invoke nsole' with the -file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
#destination xconsole { pipe("/dev/xconsole"); };
destination ppp { file("/var/log/ppp.log" owner("root") group("adm")
perm(0640)); };
# Here's come the filter options. With this rules, we can set which
# message go where.
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon,
mail);
};
filter ppp { facility(local2); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice);
destination(newsnotice);
};
#log { source(src); filter(f_debug); destination(debug); };
#log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_cnews); destination(console_all); };
#log { source(src); filter(f_cother); destination(console_all); };
####log { source(src); filter(f_cnews); destination(xconsole); };
###log { source(src); filter(f_cother); destination(xconsole); };
log { source(src); filter(ppp); destination(ppp); };
log {
source(src);
destination(std);
};
_______________________________________________
syslog-ng maillist - syslog-ng@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
<https://lists.balabit.hu/mailman/listinfo/syslog-ng>
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
<http://www.campin.net/syslog-ng/faq.html>
------_=_NextPart_001_01C3FB08.CB0246A0
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>RE: [syslog-ng]syslog duplicate entries</TITLE>
<META content="MSHTML 6.00.2800.1276" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=167560119-24022004><FONT face=Arial color=#0000ff size=2>Should
I be able to remove all of the destination lines following std and still get the
localhost's log information to it's host directory based on the "destination
std" line?</FONT></SPAN></DIV>
<DIV><SPAN class=167560119-24022004><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=167560119-24022004><FONT face=Arial color=#0000ff
size=2>Dylan</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Hamilton Andrew
[mailto:Andrew.Hamilton@afccc.af.mil]<BR><B>Sent:</B> Tuesday, February 24,
2004 12:33 PM<BR><B>To:</B> syslog-ng@lists.balabit.hu<BR><B>Subject:</B> RE:
[syslog-ng]syslog duplicate entries<BR><BR></FONT></DIV>
<P><FONT size=2>Look at your filter, f_syslog, destination d_syslog, and your
log line that includes d_syslog. Your filter f_syslog includes
everything except facilities auth, and authpriv. If you are confident
that you don't need your syslog line you can comment that out as well to keep
you from getting duplicates in you /var/log/syslog file.</FONT></P>
<P><FONT size=2>Regards,</FONT> </P>
<P><FONT size=2>Drew</FONT> </P>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Dylan
(FHMS) [<A
href="mailto:dhbouterse@fhmsi.com">mailto:dhbouterse@fhmsi.com</A>]</FONT>
<BR><FONT size=2>Sent: Tuesday, February 24, 2004 12:25 PM</FONT> <BR><FONT
size=2>To: 'syslog-ng@lists.balabit.hu'</FONT> <BR><FONT size=2>Subject:
[syslog-ng]syslog duplicate entries</FONT> </P><BR>
<P><FONT size=2>I have my syslog-ng setup so that external syslog hosts are
creating their</FONT> <BR><FONT size=2>own dir and log file (see conf file
below). One problem I'm having is that</FONT> <BR><FONT size=2>all of the
hosts' logs are being written to /var/log/syslog as</FONT> <BR><FONT
size=2>well...creating a 6Gig file or larger per week. Can someone please
point out</FONT> <BR><FONT size=2>what I can change with my conf file to
eliminate the duplicate entries?</FONT> <BR><FONT size=2>Thank you!</FONT>
</P>
<P><FONT size=2>Dylan</FONT> </P>
<P><FONT size=2>#############################################</FONT> <BR><FONT
size=2>### syslog-ng.conf file</FONT> <BR><FONT
size=2>#############################################</FONT> </P>
<P><FONT size=2>options</FONT> <BR><FONT size=2> {</FONT> <BR><FONT
size=2> check_hostname(yes);</FONT> <BR><FONT
size=2> chain_hostnames(no);</FONT> <BR><FONT
size=2> create_dirs (yes);</FONT> <BR><FONT
size=2> dir_perm(0755);</FONT> <BR><FONT
size=2> dns_cache(yes);</FONT> <BR><FONT
size=2> keep_hostname(yes);</FONT> <BR><FONT
size=2> log_fifo_size(2048);</FONT> <BR><FONT
size=2> log_msg_size(8192);</FONT> <BR><FONT
size=2> long_hostnames(on);</FONT> <BR><FONT
size=2> perm(0644);</FONT> <BR><FONT
size=2> stats(3600);</FONT> <BR><FONT
size=2> sync(0);</FONT> <BR><FONT size=2>
time_reopen (10);</FONT> <BR><FONT size=2>
use_dns(yes);</FONT> <BR><FONT size=2> use_fqdn(no);</FONT>
<BR><FONT size=2> };</FONT> <BR><FONT size=2>#</FONT> <BR><FONT size=2>#
This is the default behavior of sysklogd package</FONT> <BR><FONT size=2>#
Logs may come from unix stream, but not from another machine.</FONT> <BR><FONT
size=2>#</FONT> <BR><FONT size=2>#source src { unix-dgram("/dev/log");
internal(); };</FONT> </P>
<P><FONT size=2>#</FONT> <BR><FONT size=2># If you wish to get logs from
remote machine you should uncomment</FONT> <BR><FONT size=2># this and comment
the above source line.</FONT> <BR><FONT size=2>#</FONT> <BR><FONT
size=2>source src { unix-dgram("/dev/log"); internal(); udp();
tcp(port(514)</FONT> <BR><FONT size=2>keep-alive(yes)
max-connections(25));};</FONT> </P>
<P><FONT size=2>destination std {</FONT> <BR><FONT size=2>#</FONT> <BR><FONT
size=2>file("/var/log/HOSTS/$YEAR/$HOST/$MONTH/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"</FONT>
<BR><FONT size=2>
file("/var/log/HOSTS/$HOST/$HOST.syslog"</FONT> </P>
<P><FONT size=2> owner(nagios)
group(nagios) perm(0600) dir_perm(0700)</FONT> <BR><FONT
size=2>create_dirs(yes)</FONT> <BR><FONT
size=2> );</FONT> <BR><FONT
size=2>};</FONT> </P>
<P><FONT size=2># After that set destinations.</FONT> </P>
<P><FONT size=2># First some standard logfile</FONT> <BR><FONT size=2>#</FONT>
<BR><FONT size=2>destination authlog { file("/var/log/auth.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination syslog { file("/var/log/syslog" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination cron { file("/var/log/cron.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination daemon { file("/var/log/daemon.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination kern { file("/var/log/kern.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination lpr { file("/var/log/lpr.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination mail { file("/var/log/mail.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination user { file("/var/log/user.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination uucp { file("/var/log/uucp.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> </P><BR>
<P><FONT size=2># This files are the log come from the mail subsystem.</FONT>
<BR><FONT size=2>#</FONT> <BR><FONT size=2>destination mailinfo {
file("/var/log/mail.info" owner("root") group("adm")</FONT> <BR><FONT
size=2>perm(0640)); };</FONT> <BR><FONT size=2>destination mailwarn {
file("/var/log/mail.warn" owner("root") group("adm")</FONT> <BR><FONT
size=2>perm(0640)); };</FONT> <BR><FONT size=2>destination mailerr {
file("/var/log/mail.err" owner("root") group("adm")</FONT> <BR><FONT
size=2>perm(0640)); };</FONT> </P>
<P><FONT size=2># Logging for INN news system</FONT> <BR><FONT size=2>#</FONT>
<BR><FONT size=2>destination newscrit { file("/var/log/news/news.crit"
owner("root")</FONT> <BR><FONT size=2>group("adm")</FONT> <BR><FONT
size=2>perm(0640)); };</FONT> <BR><FONT size=2>destination newserr {
file("/var/log/news/news.err" owner("root")</FONT> <BR><FONT
size=2>group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> <BR><FONT
size=2>destination newsnotice { file("/var/log/news/news.notice"
owner("root")</FONT> <BR><FONT size=2>group("adm") perm(0640)); };</FONT> </P>
<P><FONT size=2># Some `catch-all' logfiles.</FONT> <BR><FONT size=2>#</FONT>
<BR><FONT size=2>#destination debug { file("/var/log/debug" owner("root")
group("adm")</FONT> <BR><FONT size=2>#perm(0640)); };</FONT> <BR><FONT
size=2>#destination messages { file("/var/log/messages" owner("root")
group("adm")</FONT> <BR><FONT size=2>#perm(0640)); };</FONT> </P>
<P><FONT size=2># The root's console.</FONT> <BR><FONT size=2>#</FONT>
<BR><FONT size=2>destination console { usertty("root"); };</FONT> </P>
<P><FONT size=2># Virtual console.</FONT> <BR><FONT size=2>#</FONT> <BR><FONT
size=2>destination console_all { file("/dev/tty8"); };</FONT> </P>
<P><FONT size=2># The named pipe /dev/xconsole is for the nsole'
utility. To use it,</FONT> <BR><FONT size=2># you must invoke nsole'
with the -file' option:</FONT> <BR><FONT size=2>#</FONT> <BR><FONT
size=2># $ xconsole -file /dev/xconsole [...]</FONT>
<BR><FONT size=2>#</FONT> <BR><FONT size=2>#destination xconsole {
pipe("/dev/xconsole"); };</FONT> </P>
<P><FONT size=2>destination ppp { file("/var/log/ppp.log" owner("root")
group("adm")</FONT> <BR><FONT size=2>perm(0640)); };</FONT> </P>
<P><FONT size=2># Here's come the filter options. With this rules, we can set
which</FONT> <BR><FONT size=2># message go where.</FONT> </P>
<P><FONT size=2>filter f_authpriv { facility(auth, authpriv); };</FONT>
<BR><FONT size=2>filter f_syslog { not facility(auth, authpriv); };</FONT>
<BR><FONT size=2>filter f_cron { facility(cron); };</FONT> <BR><FONT
size=2>filter f_daemon { facility(daemon); };</FONT> <BR><FONT size=2>filter
f_kern { facility(kern); };</FONT> <BR><FONT size=2>filter f_lpr {
facility(lpr); };</FONT> <BR><FONT size=2>filter f_mail { facility(mail);
};</FONT> <BR><FONT size=2>filter f_user { facility(user); };</FONT> <BR><FONT
size=2>filter f_uucp { facility(uucp); };</FONT> </P>
<P><FONT size=2>filter f_news { facility(news); };</FONT> </P>
<P><FONT size=2>filter f_debug { not facility(auth, authpriv, news, mail);
};</FONT> <BR><FONT size=2>filter f_messages { level(info .. warn)</FONT>
<BR><FONT size=2> and not
facility(auth, authpriv, cron, daemon, mail, news); };</FONT> <BR><FONT
size=2>filter f_emergency { level(emerg); };</FONT> </P>
<P><FONT size=2>filter f_info { level(info); };</FONT> <BR><FONT size=2>filter
f_notice { level(notice); };</FONT> <BR><FONT size=2>filter f_warn {
level(warn); };</FONT> <BR><FONT size=2>filter f_crit { level(crit); };</FONT>
<BR><FONT size=2>filter f_err { level(err); };</FONT> </P>
<P><FONT size=2>filter f_cnews { level(notice, err, crit) and facility(news);
};</FONT> <BR><FONT size=2>filter f_cother { level(debug, info, notice, warn)
or facility(daemon,</FONT> <BR><FONT size=2>mail);</FONT> <BR><FONT
size=2>};</FONT> </P>
<P><FONT size=2>filter ppp { facility(local2); };</FONT> </P>
<P><FONT size=2>log { source(src); filter(f_authpriv); destination(authlog);
};</FONT> <BR><FONT size=2>log { source(src); filter(f_syslog);
destination(syslog); };</FONT> <BR><FONT size=2>#log { source(src);
filter(f_cron); destination(cron); };</FONT> <BR><FONT size=2>log {
source(src); filter(f_daemon); destination(daemon); };</FONT> <BR><FONT
size=2>log { source(src); filter(f_kern); destination(kern); };</FONT>
<BR><FONT size=2>log { source(src); filter(f_lpr); destination(lpr); };</FONT>
<BR><FONT size=2>log { source(src); filter(f_mail); destination(mail);
};</FONT> <BR><FONT size=2>log { source(src); filter(f_user);
destination(user); };</FONT> <BR><FONT size=2>log { source(src);
filter(f_uucp); destination(uucp); };</FONT> <BR><FONT size=2>log {
source(src); filter(f_mail); filter(f_info); destination(mailinfo); };</FONT>
<BR><FONT size=2>log { source(src); filter(f_mail); filter(f_warn);
destination(mailwarn); };</FONT> <BR><FONT size=2>log { source(src);
filter(f_mail); filter(f_err); destination(mailerr); };</FONT> <BR><FONT
size=2>log { source(src); filter(f_news); filter(f_crit);
destination(newscrit); };</FONT> <BR><FONT size=2>log { source(src);
filter(f_news); filter(f_err); destination(newserr); };</FONT> <BR><FONT
size=2>log { source(src); filter(f_news); filter(f_notice);</FONT> <BR><FONT
size=2>destination(newsnotice);</FONT> <BR><FONT size=2>};</FONT> <BR><FONT
size=2>#log { source(src); filter(f_debug); destination(debug); };</FONT>
<BR><FONT size=2>#log { source(src); filter(f_messages);
destination(messages); };</FONT> <BR><FONT size=2>log { source(src);
filter(f_emergency); destination(console); };</FONT> </P>
<P><FONT size=2>#log { source(src); filter(f_cnews); destination(console_all);
};</FONT> <BR><FONT size=2>#log { source(src); filter(f_cother);
destination(console_all); };</FONT> </P><BR>
<P><FONT size=2>####log { source(src); filter(f_cnews); destination(xconsole);
};</FONT> <BR><FONT size=2>###log { source(src); filter(f_cother);
destination(xconsole); };</FONT> </P>
<P><FONT size=2>log { source(src); filter(ppp); destination(ppp); };</FONT>
</P>
<P><FONT size=2>log {</FONT> <BR><FONT
size=2> source(src);</FONT>
<BR><FONT size=2>
destination(std);</FONT> <BR><FONT size=2>};</FONT> </P>
<P><FONT size=2>_______________________________________________</FONT>
<BR><FONT size=2>syslog-ng maillist -
syslog-ng@lists.balabit.hu</FONT> <BR><FONT size=2><A
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target=_blank>https://lists.balabit.hu/mailman/listinfo/syslog-ng</A></FONT>
<BR><FONT size=2>Frequently asked questions at <A
href="http://www.campin.net/syslog-ng/faq.html"
target=_blank>http://www.campin.net/syslog-ng/faq.html</A></FONT>
</P></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C3FB08.CB0246A0--