[syslog-ng]Getting Logs in Triplicate

Rhugga syslog-ng@lists.balabit.hu
Tue, 18 Jan 2005 09:14:49 -0800 (PST)


Solaris doesn't accept *.* notation, the only wildcard can be for the facility.
*.err  <--- ok

cron.* <--- bad

Also, when I test with logger, I only get 1 local copy, not 5. 

I also forgot to mention that the syslog.conf is the last version I tested with, other versions
did not use the same notation.

So let me understand what you wrote:

If I use 'logger -p user.err my test message' your saying this is getting logged at multiple
priorities and/or facilies?

Or do you mean:

user.err     /some/file
user.crit    /some/file

Do you mean this syslog config will cause the previous logger statement to log twice? If so, that
would make sense, but I don't think the problem I am seeing is caused by this.

Ugh, I'm at a loss and the documentation is severely limiting.

Any ideas?

--- Wolfgang Braun <wolfgang.braun@gmx.de> wrote:

> On Tue, Jan 18, 2005 at 06:46:33AM -0800, Rhugga wrote:
> 
> Hi
> 
> > Getting 5 copies of each message. (was getting only 3 before, but now
> > getting 5 copies of each log message)
> 
> I think the main culprit is your syslogd.conf on the Solaris machine:
> 
> > # To syslog host
> > *.debug                                         @syslog
> > *.info                                          @syslog
> > *.notice                                        @syslog
> > *.warning                                       @syslog
> > *.err                                           @syslog
> > *.crit                                          @syslog
> > *.alert                                         @syslog
> > *.emerg                                         @syslog
> 
> syslog.conf(5) on Linux says if you put priority P in a rule everything
> with priority >= P will be logged. Check your syslog manual.
> 
> <man page>
> 
>    The behavior of the original BSD syslogd is that all messages  of  the
> specified  priority  and  higher  are  logged  according  to the given
> action. 
> 
> </man page>
> 
> Confirmed this with OpenBSD syslog. If I have
> 
> *.*		@loghost
> *.debug		@loghost
> 
> messages with priority >= debug are sent over the wire twice. 
> 
> If this is the case you can collapse your above statements to
> 
> *.* 		@loghost
> 
> to get only one copy of each msg.
> 
> 
> 
> > Here is my entire config file:
> > [...]
> 
> Just nitpicking but I think you could collapse most of your
> syslog-ng.conf if you took out the 'host("xyz")' out of the filters.
> Since they all go from the same source() to the same destination() with
> $HOST expansion they don't really accomplish anything.
> 
>  
> 
> -- 
> Wolfgang Braun, Dipl.-Inform. (FH)
> <wolfgang.braun@gmx.de>
> gpg-key:  1024D/4B32CE55 
> gpg-fingerprint: 7F0F DE82 94A5 B476 0E08  4972 AC95 31A3 4B32 CE55
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> 


=====
Chuck Carson - Sr. Systems Engineer
Syrrx, Inc. - www.syrrx.com
10410 Science Center Drive
San Diego, CA 92121
Work: 858.622.8528
Fax:  858.550.0526