[syslog-ng] Lines sorted into the wrong log files
David Miller
syslog at d.sparks.net
Tue Jun 14 17:17:57 CEST 2005
I upgraded a pair of debian (sarge) boxen to syslog-ng 1.6.5.
One is to be the central logging server, the other is a sample client.
I changed the destinations
of all the logs to just include tcp("ip_address");
On the server side I added tcp() to the source s_all {} statement.
My problem is that I'm getting more logging done on the remote side than
on the client side.
For example, the client has:
wiabweb2:/etc/syslog-ng# tail /var/log/cron.log
13 Jun 05:45:01 ntpdate[22494]: ntpdate 4.2.0a at 1:4.2.0a+stable-2-r Sun
Jan 9 16:13:28 CET 2005 (1)
13 Jun 05:45:03 ntpdate[22494]: step time server 192.168.120.13 offset
1.988834 sec
but the remote server has:
Jun 13 16:51:01 192.168.120.27 CRON[1779]: pam_ldap: could not open
secret file /etc/ldap.secret (No such file or directory)
Jun 13 16:51:01 192.168.120.27 /USR/SBIN/CRON[12192]: (root) CMD
(/bin/date >> /tmp/date)
Jun 13 16:52:01 192.168.120.27 CRON[18762]: pam_ldap: could not open
secret file /etc/ldap.secret (No such file or directory)
Jun 13 16:52:01 192.168.120.27 /USR/SBIN/CRON[172]: (root) CMD
(/bin/date >> /tmp/date)
These "extra" entries show up in syslog on both systems.
Why would the remote system have the entries logged to more files than
the client?
***************** Long set of config files follows *********************
Rather than add a thousand lines of almost all config, I'll just add
what I think is relevent.
On the server side,
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the
syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the above line if you want to receive remote UDP logging
messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
tcp();
};
[snip]
######
# destinations
# some standard log files
destination df_auth { file("/var/log/$HOST/auth.log"); };
destination df_syslog { file("/var/log/$HOST/syslog"); };
destination df_cron { file("/var/log/$HOST/cron.log"); };
[snip]
######
# filters
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };
# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news,
user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
[snip]
# *.*;auth,authpriv.none -/var/log/syslog
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
};
# this is commented out in the default syslog.conf
# cron.* /var/log/cron.log
log {
source(s_all);
filter(f_cron);
destination(df_cron);
};
========= On the client side =============
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the
syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the above line if you want to receive remote UDP logging
messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};
[snip]
######
# destinations
# some standard log files
destination df_auth { file("/var/log/auth.log"); tcp("192.168.120.49"); };
destination df_syslog { file("/var/log/syslog"); tcp("192.168.120.49"); };
destination df_cron { file("/var/log/cron.log"); tcp("192.168.120.49"); };
destination df_daemon { file("/var/log/daemon.log");
tcp("192.168.120.49"); };
destination df_kern { file("/var/log/kern.log"); tcp("192.168.120.49"); };
# destination df_lpr { file("/var/log/lpr.log"); tcp("192.168.120.49"); };
destination df_mail { file("/var/log/mail.log"); tcp("192.168.120.49"); };
######
# filters
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };
# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news,
user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
# some filters to select messages of priority greater or equal to info,
warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };
# all messages of priority debug not coming from the auth, authpriv,
news, and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news,
mail); };
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news);
};
# messages with priority emerg
filter f_emerg { level(emerg); };
# complex filter for messages usually sent to the xconsole
filter f_xconsole {
facility(daemon,mail)
or level(debug,info,notice,warn)
or (facility(news)
and level(crit,err,notice));
};
# *.*;auth,authpriv.none -/var/log/syslog
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
};
# this is commented out in the default syslog.conf ***** Why is ntpdate
still logging into /var/log/cron ?
# cron.* /var/log/cron.log
# log {
# source(s_all);
# filter(f_cron);
# destination(df_cron);
#};
[snip]
More information about the syslog-ng
mailing list