[syslog-ng]Getting Logs in Triplicate
Rhugga
syslog-ng@lists.balabit.hu
Tue, 18 Jan 2005 06:46:33 -0800 (PST)
Getting 5 copies of each message. (was getting only 3 before, but now getting 5 copies of each log
message)
Here is my entire config file:
options { long_hostnames(off); sync(0); };
source src {
internal();
unix-dgram("/dev/log");
unix-dgram("/var/lib/dhcp/dev/log");
unix-dgram("/var/lib/named/dev/log");
unix-dgram("/var/lib/ntp/dev/log");
unix-dgram("/var/lib/stunnel/dev/log");
udp(ip("0.0.0.0") port(514));
};
filter f_console { level(warn) and facility(kern) or
level(err) and not facility(authpriv);
};
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_warn { level(warn, err, crit); };
filter f_alert { level(alert); };
filter f_messages { not facility(news, mail); };
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
# Everything except mail subsystem logs
filter f_db-0201 { host("db-0201") and not facility(mail); };
filter f_db-0202 { host("db-0202") and not facility(mail); };
filter f_db-0203 { host("db-0203") and not facility(mail); };
filter f_db-0204 { host("db-0204") and not facility(mail); };
filter f_db-0205 { host("db-0205") and not facility(mail); };
filter f_web-0201 { host("web-0201") and not facility(mail); };
filter f_web-0202 { host("web-0202") and not facility(mail); };
filter f_web-0205 { host("web-0205") and not facility(mail); };
filter f_web-2206 { host("web-2206") and not facility(mail); };
filter f_back-0202 { host("back-0202") and not facility(mail); };
filter f_file-0201 { host("file-0201") and not facility(mail); };
filter f_file-0202 { host("file-0202") and not facility(mail); };
filter f_syslog { host("syslog") and not facility(mail); };
filter f_hurley { host("hurley") and not facility(mail); };
# Only mail subsystem logs
filter f_db-0201_mail { host("db-0201") and facility(mail); };
filter f_db-0202_mail { host("db-0202") and facility(mail); };
filter f_db-0203_mail { host("db-0203") and facility(mail); };
filter f_db-0204_mail { host("db-0204") and facility(mail); };
filter f_db-0205_mail { host("db-0205") and facility(mail); };
filter f_web-0201_mail { host("web-0201") and facility(mail); };
filter f_web-0202_mail { host("web-0202") and facility(mail); };
filter f_web-0205_mail { host("web-0205") and facility(mail); };
filter f_web-2206_mail { host("web-2206") and facility(mail); };
filter f_file-0201_mail { host("file-0201") and facility(mail); };
filter f_file-0202_mail { host("file-0202") and facility(mail); };
filter f_back-0202_mail { host("back-0202") and facility(mail); };
filter f_hurley_mail { host("hurley") and facility(mail); };
filter f_syslog_mail { host("syslog") and facility(mail); };
# Catch All Filter For Mail and Everything Else
filter f_master_syslogs { not facility(mail) and not facility(cron); };
filter f_master_maillogs { facility(mail); };
filter f_master_cronlogs { facility(cron); };
destination console { file("/dev/tty10"); };
log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole"); };
log { source(src); filter(f_console); destination(xconsole); };
destination root { usertty("root"); };
log { source(src); filter(f_alert); destination(root); };
# Chuck - 14-JAN-2005
destination master_syslogs { file("/var/log/syrrx/master_syslog", owner(root), group(root),
perm(0640), dir_perm(0750), create_dirs(yes), ); };
destination master_maillogs { file("/var/log/syrrx/master_maillog", owner(root), group(root),
perm(0640), dir_perm(0750), create_dirs(yes), ); };
destination master_cronlogs { file("/var/log/syrrx/master_cronlog", owner(root), group(root),
perm(0640), dir_perm(0750), create_dirs(yes), ); };
destination host_logs { file("/var/log/syrrx/$HOST/syslog", owner(root), group(root), perm(0640),
dir_perm(0750), create_dirs(yes), ); };
destination host_mail { file("/var/log/syrrx/$HOST/maillog", owner(root), group(root),
perm(0640), dir_perm(0750), create_dirs(yes), ); };
# Catch All
log { source(src); filter(f_master_syslogs); destination(master_syslogs); };
log { source(src); filter(f_master_maillogs); destination(master_maillogs); };
log { source(src); filter(f_master_cronlogs); destination(master_cronlogs); };
# Host Based Log Files
log { source(src); filter(f_file-0202); destination(host_logs); };
log { source(src); filter(f_file-0201); destination(host_logs); };
log { source(src); filter(f_db-0201); destination(host_logs); };
log { source(src); filter(f_db-0202); destination(host_logs); };
log { source(src); filter(f_db-0203); destination(host_logs); };
log { source(src); filter(f_db-0204); destination(host_logs); };
log { source(src); filter(f_db-0205); destination(host_logs); };
log { source(src); filter(f_web-0201); destination(host_logs); };
log { source(src); filter(f_web-0202); destination(host_logs); };
log { source(src); filter(f_web-0205); destination(host_logs); };
log { source(src); filter(f_web-2206); destination(host_logs); };
log { source(src); filter(f_back-0202); destination(host_logs); };
log { source(src); filter(f_hurley); destination(host_logs); };
log { source(src); filter(f_db-0201_mail); destination(host_mail); };
log { source(src); filter(f_db-0202_mail); destination(host_mail); };
log { source(src); filter(f_db-0203_mail); destination(host_mail); };
log { source(src); filter(f_db-0204_mail); destination(host_mail); };
log { source(src); filter(f_db-0205_mail); destination(host_mail); };
log { source(src); filter(f_web-0201_mail); destination(host_mail); };
log { source(src); filter(f_web-0202_mail); destination(host_mail); };
log { source(src); filter(f_web-0205_mail); destination(host_mail); };
log { source(src); filter(f_web-2206_mail); destination(host_mail); };
log { source(src); filter(f_file-0201_mail); destination(host_mail); };
log { source(src); filter(f_file-0202_mail); destination(host_mail); };
log { source(src); filter(f_syslog_mail); destination(host_mail); };
log { source(src); filter(f_hurley_mail); destination(host_mail); };
destination newscrit { file("/var/log/news/news.crit"); };
log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err"); };
log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice"); };
log { source(src); filter(f_newsnotice); destination(newserr); };
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
destination warn { file("/var/log/warn"); };
log { source(src); filter(f_warn); destination(warn); };
I am using "logger -p user.err test message" from a Solaris 9 system. This message is getting
logged 5 times to /var/log/syrrx/master_syslogs and also /var/log/syrrx/$HOST/syslog. The syslog
system is SLES 9 with all updates.
On the Solaris client, here is the syslog config:
# BEGIN syslog.conf
*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.alert;kern.err;daemon.err operator
*.alert root
*.emerg *
mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)
ifdef(`LOGHOST', ,
user.err /dev/sysmsg
user.err /var/adm/messages
user.alert `root, operator'
user.emerg *
)
# BEGIN RAID Manager additions
# DO NOT EDIT from BEGIN above to END below...
user.err /dev/console
# END RAID Manager additions
# To syslog host
*.debug @syslog
*.info @syslog
*.notice @syslog
*.warning @syslog
*.err @syslog
*.crit @syslog
*.alert @syslog
*.emerg @syslog
# END syslog.conf
loghost is an alias to localhost and NOT the syslog box.
Any ideas?
Thx,
CC
=====
Chuck Carson - Sr. Systems Engineer
Syrrx, Inc. - www.syrrx.com
10410 Science Center Drive
San Diego, CA 92121
Work: 858.622.8528
Fax: 858.550.0526