[syslog-ng] strange message handling in syslog-ng
BURRUSS, RICHARD S (ASI)
rb3575 at att.com
Wed Feb 1 18:15:42 CET 2006
Hello all,
I am trying to set up a new central syslogd server. I want to keep
logging locally as well as on the new server. I have my syslogd.conf
from the local machines and my syslog-ng.conf from the central server
listed below. The problem I am having is that some messages being sent
to the log server are not being sorted by their hostname field. They are
instead being broken down into many different directories as shown in
the example below. So, instead of the message going to the correct
directory for that hostname it is creating numerous new directories with
the name of that part of the message beginning with a ".". Odd.
I can't figure out why it is these messages are being handled this way.
Can anyone help please?
Example of the directories being created. The first seven entries should
not be there.
# cd /var/log/HOSTS
# ls -la
total 28
drwx------ 14 root root 512 Jan 26 22:31 .
drwxr-xr-x 6 root sys 512 Jan 11 10:44 ..
drwx------ 3 root root 512 Jan 26 22:31 .Cmd
drwx------ 3 root root 512 Jan 26 22:31 .Disconnected
drwx------ 3 root root 512 Jan 26 22:29 .SCSI
drwx------ 3 root root 512 Jan 26 22:31 .got
drwx------ 3 root root 512 Jan 26 22:31 .pkt_flags=0x4000
drwx------ 3 root root 512 Jan 26 22:31 .pkt_scbp=0x0
drwx------ 3 root root 512 Jan 26 00:02 SRS
drwx------ 3 root root 512 Jan 11 15:18 dbln-jumpstart
drwx------ 3 root root 512 Jan 25 15:33 eight
drwx------ 3 root root 512 Jan 11 11:23 ndpsunray1
drwx------ 3 root root 512 Jan 11 13:27 ndpsunray2
drwx------ 3 root root 512 Jan 25 15:26 nine
#
syslogd.conf
#ident "@(#)syslog.conf 1.4 96/10/11 SMI" /* SunOS 5.0 */
#
# Copyright (c) 1991-1993, by Sun Microsystems, Inc.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words. Also, within ifdef's, arguments
# containing commas must be quoted.
#
# *.err;kern.notice;auth.notice /dev/console
kern.notice;user.err /dev/console
kern.notice @loghost
auth.info /var/adm/messages
auth.info @loghost
*.err;daemon.none;kern.info;mail.crit /var/adm/messages
*.err;daemon.none;kern.info;mail.crit @loghost
daemon.crit /var/adm/messages
daemon.crit @loghost
daemon.notice /var/adm/messages
daemon.notice @loghost
*.alert;kern.err;daemon.err operator
*.alert root
*.emerg *
mail.info /var/adm/messages
mail.debug @loghost
user.alert @loghost
user.alert /var/adm/messages
syslogd-ng.conf
#
# syslog-ng package built by Nate Campi <nate at campin.net>
#
# This should behave pretty much like the original syslog on SunOS. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb at sysfive.com
options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys {
sun-stream ("/dev/log" door("/etc/.syslog_door"));
};
source net {
udp();
};
source s_internal {
internal();
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/adm/messages"); };
destination d_mail { file("/var/log/syslog"); };
destination d_auth { file("/var/log/authlog"); };
destination d_mlop { usertty("operator"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };
destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$FACILITY$YEAR$MONTH$DAY"
owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(yes) );};
filter f_filter1 { level(err) or
(level(notice) and facility (auth, kern)); };
filter f_filter2 { level(err) or
(facility(kern) and level(notice)) or
(facility(daemon) and level(notice)) or
(facility(mail) and level(crit)); };
filter f_filter3 { level(alert) or
(facility(kern) and level(err)) or
(facility(daemon) and level(err)); };
filter f_filter4 { level(alert); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(kern) and level(notice); };
filter f_filter7 { facility(mail) and level(debug); };
filter f_filter8 { facility(user) and level(err); };
filter f_filter9 { facility(user) and level(alert); };
log { source(net); destination(std); };
log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_mlop); };
log { source(s_sys); filter(f_filter4); destination(d_mlrt); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_auth); };
log { source(s_sys); filter(f_filter7); destination(d_mail); };
log { source(s_sys); filter(f_filter8); destination(d_cons);
destination(d_mesg); };
log { source(s_sys); filter(f_filter9); destination(d_mlop);
destination(d_mlrt); };
log {
source(s_internal);
destination(d_mesg);
};
Thanks for looking,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060201/4c203f43/attachment.html
More information about the syslog-ng
mailing list