[syslog-ng] file written in the wrong place

Paolo Supino vrkid at yahoo.com
Sun Dec 25 15:22:55 CET 2005 


--- Sandor Geller <wildy at balabit.hu> wrote:

> Paolo Supino wrote:
> > Hi 
> > 
> >  I've installed syslog-ng 1.6.8 on a Linux FC4 system to act as a
> > centeralized logging server. For a while everything was fine, until
> I
> > tried to add another statement to one of the filters. After the
> > addition syslog-ng started writing the destination files in the
> wrong
> > places, writing the same file in 2 locations and ignoring messages
> sent
> > from certain origins. 
> 
> Which filter is causing your problems?
> 
> > # destinations
> > destination d_switch { file("/var/log/company/switches/$HOST.log"
> > perm(0644)); };
> > destination d_edge { file("/var/log/company/edge_devices/$HOST.log"
> > perm(0644)); };
> > destination d_fw { file("/var/log/company/firewalls/$HOST.log"
> > perm(0644)); };
> > destination d_router { file("/var/log/company/routers/$HOST.log"
> > perm(0644)); };
> 
> Use the $FULLHOST macro, not just $HOST
> 
> > # filters
> > filter f_edge        { host("edge*") or host("10.10.*"); };
> > filter f_router      { host("3600-primary") or
> host("backbone-3550") or
> > host("secondary-3550"); };
> > filter f_switch      { host("sw*") or host("backbone-5510") or
> > host(pp8600*); };
> > filter f_fw          { host("fw*"); };
> 
> You should check your hostnames, whether they contain your filter
> patterns. I suggest using "^edge.*"-style regexp, this is more
> precise
> than "edge*". I suspect your fully qualified hostnames contain
> somewhere
> the "fw" or the "sw" strings.

   The names of the hostnames only appear in the DNS server. The system
themselves don't know the name. 



> 
> > # wrap everything up
> > log { source(s_net); filter(f_switch); destination(d_switch); };
> > log { source(s_net); filter(f_router); destination(d_router); };
> > log { source(s_net); filter(f_edge); destination(d_edge); };
> > log { source(s_net); filter(f_fw); destination(d_fw); };
> 
> Consider using the "final" flag in your log sections, this can
> improve
> the performance of syslog-ng, but be aware that if sou use final,
> then
> the order of your log sections does matter!
> 
   I will try this and see what happens. 




> -- 
> Sandor Geller
> wildy at balabit.hu
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
> 
> 



	
		
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

More information about the syslog-ng mailing list