[syslog-ng] syslog-ng.conf help - syslog-ng writing everythingto'messages' in addition to $HOST.log

Kevin Reiter KReiter at insidefsi.net
Mon Aug 6 19:17:35 CEST 2007 

syslog-ng-bounces at lists.balabit.hu wrote:
: Hello,
: 
:: All,
:: 
:: I'm fairly new to syslog-ng (been using syslogd for many
:: years) and I have a question with the config file syntax.
:: 
:: What I'm trying to do is log all remote hosts to
:: /var/log/$HOST.log while keeping the logging host's logs
:: seperate.  What I'm seeing is all messages are being written
:: to /var/log/$HOST.log, including the logging system, as well
:: as to /var/log/messages.  In a single day, /var/log/messages
:: grows to over 11GB (I'm logging less than 100 devices -
:: Windows servers, routers, and switches.)
:: 
:: I haven't quite figured out which part of the config file is
:: causing this to happen, since I'm still going through my
:: growing pains with it.  Can someone point me in the right
:: direction with this?
: 
: [ cutting the details ]
: 
: You're referring to the same source (src) everywhere in your
: config, so I would like to suggest to remove udp() from this
: source and move it to a separate one. Then you can use this
: source for the remote hosts. Something like this:
: 
: source s_remote {
: 	udp();
: };
: 
: Later in your conffile referring to this source you can
: differentiate between the local and the remote logs.
: 
: regards,
: 
: Sandor

Thanks!  That seemed to do the trick.  It appears now that each log entry is being duplicated, but I can live with that for the time being.  Would that be the result of an extra line I have in there somewhere, or do I need to look forther at the src/destination directives?

This message may contain confidential or proprietary information and is intended solely for the individual(s) to whom it is addressed.  If you are not a named addressee you should not disseminate, distribute or copy this e-mail or act upon the information contained herein.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

More information about the syslog-ng mailing list