[syslog-ng] logs written twice

Nick Baronian kvetch at gmail.com
Tue Oct 31 16:29:39 CET 2006 

I setup a syslog-ng server to get logs from various boxes and devices.
 I think I am a little confused about the correct way to set this up.
I am seeing a lot of logs getting written twice.  For instance I have
some old Unix boxes logging to it and some Linux boxes.  The old Unix
boxes log to a syslog file for most stuff and the Linux boxes log most
stuff to the messages file.  I have some cisco devices that I wanted
to log to particular filename but it is getting written to the custom
filename and being duplicated to a syslog file, plus it is writing a
messages file which is not an exact duplicate for some reason.  I am
guessing my reason is because I have stuff like
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_messages { level(info .. warn) and not facility(auth,
authpriv, cron, daemon, mail); };
destination syslog { file("/u01/log/$HOST/syslog"); };
destination messages { file("/u01/log/$HOST/messages"); };

Is there a way I can duplicate the name schema the remote box is using
or do I need to say all syslog type events goto blah file and such?

My conf looks like
options
  {    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0750);
    dns_cache(no);
    keep_hostname(no);
    log_fifo_size(2048);
    log_msg_size(8192);
    perm(0640);
    stats(3600);
    sync(0);
    time_reopen (10);
    use_dns(no);
    use_fqdn(yes);  };
source src {         unix-dgram("/dev/log");
        internal();
        udp();
        tcp();    };
destination authlog { file("/u01/log/$HOST/auth.log"); };
destination syslog { file("/u01/log/$HOST/syslog"); };
destination cron { file("/u01/log/$HOST/cron.log"); };
destination daemon { file("/u01/log/$HOST/daemon.log"); };
destination kern { file("/u01/log/$HOST/kern.log"); };
destination lpr { file("/u01/log/$HOST/lpr.log"); };
destination user { file("/u01/log/$HOST/user.log"); };
destination uucp { file("/u01/log/$HOST/uucp.log"); };
destination debug { file("/u01/log/$HOST/debug"); };
destination messages { file("/u01/log/$HOST/messages"); };
destination bootlog { file("/u01/log/$HOST/boot.log"); };
destination mail { file("/u01/log/$HOST/mail.log"); };
destination maillog { file("/u01/log/$HOST/maillog"); };
destination mailinfo { file("/u01/log/$HOST/mail.info"); };
destination mailwarn { file("/u01/log/$HOST/mail.warn"); };
destination mailerr { file("/u01/log/$HOST/mail.err"); };
destination cisco_asa { file("/u01/log/$HOST/cisco_asa.log"); };
destination console { usertty("root"); };

filter cr_asa { facility(local5); };
filter pump_renewal {
   not program("pumpd") or not level(info,debug) ;  };
filter imap_debug {
   not program("imapd") or not level(info,debug) ; };
filter ipop3_debug {
   not program("ipop3d") or not level(info,debug); };
filter sshd_debug {
   not program("sshd") or not level(debug);  };
filter f_attack_alert {
        match("attackalert");  };
filter f_ssh_login_attempt {
        program("sshd.*")
        and match("(Failed|Accepted)")
        and not match("Accepted (hostbased|publickey) for
(root|zoneaxfr) from (10.4.3.1)"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(cron); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
        and not facility(auth, authpriv, cron, daemon, mail); };
filter f_emergency { level(emerg); };
filter f_bootlog { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(src); filter(f_daemon); destination(messages); };
log { source(src); filter(f_kern); destination(kern); };
log { source(src); filter(f_kern); destination(messages); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(messages); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(src); filter(f_mail); destination(maillog); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(cr_asa); destination(cisco_asa); };

Thanks,
Nick

More information about the syslog-ng mailing list