[syslog-ng]Getting Logs in Triplicate
Aakin N. Patel
syslog-ng@lists.balabit.hu
Tue, 18 Jan 2005 13:32:36 -0500
: Solaris doesn't accept *.* notation, the only wildcard can be for the facility.
: *.err <--- ok
:
: cron.* <--- bad
However, if you use a wildcard for a facility, it will also log
everything above that facility. So,
*.info
Will send all log messages to that stream.
- Aakin
:
: Also, when I test with logger, I only get 1 local copy, not 5.
:
: I also forgot to mention that the syslog.conf is the last version I tested with, other versions
: did not use the same notation.
:
: So let me understand what you wrote:
:
: If I use 'logger -p user.err my test message' your saying this is getting logged at multiple
: priorities and/or facilies?
:
: Or do you mean:
:
: user.err /some/file
: user.crit /some/file
:
: Do you mean this syslog config will cause the previous logger statement to log twice? If so, that
: would make sense, but I don't think the problem I am seeing is caused by this.
:
: Ugh, I'm at a loss and the documentation is severely limiting.
:
: Any ideas?
:
: --- Wolfgang Braun <wolfgang.braun@gmx.de> wrote:
:
: > On Tue, Jan 18, 2005 at 06:46:33AM -0800, Rhugga wrote:
: >
: > Hi
: >
: > > Getting 5 copies of each message. (was getting only 3 before, but now
: > > getting 5 copies of each log message)
: >
: > I think the main culprit is your syslogd.conf on the Solaris machine:
: >
: > > # To syslog host
: > > *.debug @syslog
: > > *.info @syslog
: > > *.notice @syslog
: > > *.warning @syslog
: > > *.err @syslog
: > > *.crit @syslog
: > > *.alert @syslog
: > > *.emerg @syslog
: >
: > syslog.conf(5) on Linux says if you put priority P in a rule everything
: > with priority >= P will be logged. Check your syslog manual.
: >
: > <man page>
: >
: > The behavior of the original BSD syslogd is that all messages of the
: > specified priority and higher are logged according to the given
: > action.
: >
: > </man page>
: >
: > Confirmed this with OpenBSD syslog. If I have
: >
: > *.* @loghost
: > *.debug @loghost
: >
: > messages with priority >= debug are sent over the wire twice.
: >
: > If this is the case you can collapse your above statements to
: >
: > *.* @loghost
: >
: > to get only one copy of each msg.
: >
: >
: >
: > > Here is my entire config file:
: > > [...]
: >
: > Just nitpicking but I think you could collapse most of your
: > syslog-ng.conf if you took out the 'host("xyz")' out of the filters.
: > Since they all go from the same source() to the same destination() with
: > $HOST expansion they don't really accomplish anything.
: >
: >
: >
: > --
: > Wolfgang Braun, Dipl.-Inform. (FH)
: > <wolfgang.braun@gmx.de>
: > gpg-key: 1024D/4B32CE55
: > gpg-fingerprint: 7F0F DE82 94A5 B476 0E08 4972 AC95 31A3 4B32 CE55
: > _______________________________________________
: > syslog-ng maillist - syslog-ng@lists.balabit.hu
: > https://lists.balabit.hu/mailman/listinfo/syslog-ng
: > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
: >
: >
:
:
: =====
: Chuck Carson - Sr. Systems Engineer
: Syrrx, Inc. - www.syrrx.com
: 10410 Science Center Drive
: San Diego, CA 92121
: Work: 858.622.8528
: Fax: 858.550.0526
: _______________________________________________
: syslog-ng maillist - syslog-ng@lists.balabit.hu
: https://lists.balabit.hu/mailman/listinfo/syslog-ng
: Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
: