[syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
Evan Rempel
erempel at uvic.ca
Thu Jan 17 23:26:43 CET 2008
You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most
directly logging hosts (no other relay syslogs).
Try using a $FULLHOST_FROM or $HOST
Evan Rempel
wiskbroom at hotmail.com wrote:
> Hello;
>
> I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
>
> For instance, I have a host named linksys-1000, logs for this host get sent into:
>
> /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
>
> as well as
>
> /var/log/ABCcorp/linksys-1000/linksys-1000.log
>
> Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
>
>
> Thanks all,
>
> .vp
>
>
> Here is a sample of my config file:
>
> ###########
> # Destinations #
> ##########
>
> destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log"
> perm(0644)); };
> destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); };
> destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); };
> destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log"
> perm(0644)); };
> destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log"
> perm(0644)); };
> destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log"
> perm(0644)); };
>
> destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
>
> #######
> # Filters #
> #######
>
> destination D_db_discard { file("/var/log/discard.log"); };
>
>
> destination D_db_mysql {
> pipe("/var/log/mysql.pipe"
> template("INSERT INTO logs
> (host, facility, priority, level, tag, datetime, program, msg)
> VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
> '$PROGRAM', '$MSG' );\n") template-escape(yes));
>
>
> filter F_edge { host("edge*") or host("192.116.*"); };
> filter F_router { host("gw*") or host("rtr") or host("router"); };
> filter F_switch { host("sw*") or host("sw1") or host("sw2"); };
> filter F_firewall { host("^fw*"); };
> filter F_accesspoints { host("^linksys*"); };
> filter F_InternetIP { host("192.116.19.*"); };
>
> #######
> # Logs #
> #######
>
> log { source(S_udp); filter(F_switch); destination(D_switch); };
> log { source(S_udp); filter(F_router); destination(D_router); };
> log { source(S_udp); filter(F_edge); destination(D_edge); };
> log { source(S_udp); filter(F_firewall); destination(D_firewall); };
> log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
>
>
> log { source(S_udp); destination(D_udp);};
> log { source(S_udp); destination(D_db_mysql); };
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
More information about the syslog-ng
mailing list