[syslog-ng] syslog-ng.conf help - syslog-ng writing everything to'messages' in addition to $HOST.log

[Geller, Sandor (IT)]

Hello,

> All,
> 
> I'm fairly new to syslog-ng (been using syslogd for many 
> years) and I have a question with the config file syntax.
> 
> What I'm trying to do is log all remote hosts to 
> /var/log/$HOST.log while keeping the logging host's logs 
> seperate.  What I'm seeing is all messages are being written 
> to /var/log/$HOST.log, including the logging system, as well 
> as to /var/log/messages.  In a single day, /var/log/messages 
> grows to over 11GB (I'm logging less than 100 devices - 
> Windows servers, routers, and switches.)
> 
> I haven't quite figured out which part of the config file is 
> causing this to happen, since I'm still going through my 
> growing pains with it.  Can someone point me in the right 
> direction with this?

[ cutting the details ]

You're referring to the same source (src) everywhere in your
config, so I would like to suggest to remove udp() from this
source and move it to a separate one. Then you can use this
source for the remote hosts. Something like this:

source s_remote {
	udp();
};

Later in your conffile referring to this source you can
differentiate between the local and the remote logs.

regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.