[syslog-ng] Re: logs written twice
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Nov 3 08:49:59 CET 2006
On Wed, 01 Nov 2006 15:07:01 EST, Nick Baronian said:
> filter f_syslog { not facility(authpriv, mail) and not match(ppp.*LCP); };
> filter f_messages { level(info..warn) and not facility(auth, authpriv,mail, news); };
> Is this what most people do? Why not just remove the filter for the
> messages since the syslog kind of catches it all and the messages
> drops so little?
This would probably make more sense if you had more than 2 filter statements,
and had ones for facility 'mail' and 'auth*'...
Here's what you probably wanted (or something similar):
filter f_mail { facility(mail); };
filter f_auth { facility(auth) or facility(authpriv); };
filter f_syslog { not facility(authpriv, mail) and not match(ppp.*LCP); };
filter f_messages { level(info..warn) and not facility(auth, authpriv,mail, news); };
The reasoning is that maillog and newslog can each be hundreds of meg or even
gigabytes per day on a busy system, so you want those split out so if you're
looking for a mail-related syslog msg, you can grep that one gigabyte file, but
if you wanted anything else, you can save a lot of resources.
seclog is separate because it probably wants mode 0600, while most logfiles can
be 0644.
I admit not understanding why you had a syslog and messages that were almost
identical, unless the plan was to have them with different permissions, so
different people could read them (in production, the biggest likely difference
is that f_messages will catch all your LCP messages and f_syslog won't.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20061103/b529c47a/attachment.pgp
More information about the syslog-ng
mailing list