[syslog-ng] file written in the wrong place
Sandor Geller
wildy at balabit.hu
Fri Dec 23 09:27:59 CET 2005
Paolo Supino wrote:
> Hi
>
> I've installed syslog-ng 1.6.8 on a Linux FC4 system to act as a
> centeralized logging server. For a while everything was fine, until I
> tried to add another statement to one of the filters. After the
> addition syslog-ng started writing the destination files in the wrong
> places, writing the same file in 2 locations and ignoring messages sent
> from certain origins.
Which filter is causing your problems?
> # destinations
> destination d_switch { file("/var/log/company/switches/$HOST.log"
> perm(0644)); };
> destination d_edge { file("/var/log/company/edge_devices/$HOST.log"
> perm(0644)); };
> destination d_fw { file("/var/log/company/firewalls/$HOST.log"
> perm(0644)); };
> destination d_router { file("/var/log/company/routers/$HOST.log"
> perm(0644)); };
Use the $FULLHOST macro, not just $HOST
> # filters
> filter f_edge { host("edge*") or host("10.10.*"); };
> filter f_router { host("3600-primary") or host("backbone-3550") or
> host("secondary-3550"); };
> filter f_switch { host("sw*") or host("backbone-5510") or
> host(pp8600*); };
> filter f_fw { host("fw*"); };
You should check your hostnames, whether they contain your filter
patterns. I suggest using "^edge.*"-style regexp, this is more precise
than "edge*". I suspect your fully qualified hostnames contain somewhere
the "fw" or the "sw" strings.
> # wrap everything up
> log { source(s_net); filter(f_switch); destination(d_switch); };
> log { source(s_net); filter(f_router); destination(d_router); };
> log { source(s_net); filter(f_edge); destination(d_edge); };
> log { source(s_net); filter(f_fw); destination(d_fw); };
Consider using the "final" flag in your log sections, this can improve
the performance of syslog-ng, but be aware that if sou use final, then
the order of your log sections does matter!
--
Sandor Geller
wildy at balabit.hu
More information about the syslog-ng
mailing list