[syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???

Joe Fegan joe_fegan at hotmail.com
Fri Jan 18 15:33:26 CET 2008 

> /var/log/ABCcorp/linksys-1000/linksys-1000.log

Evan Rempell said:

> You have hostname chaining enabled. In this case, the $FULLHOST macro
> expands to $HOST/$HOST for most directly logging hosts (no other relay syslogs).
>
> Try using a $FULLHOST_FROM or $HOST


Agreed - vp, please try $HOST instead of $FULLHOST in your destinations.


________________________________

From: wiskbroom at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Fri, 18 Jan 2008 08:50:48 -0500
Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???




Yikes, spoke too soon, apparently I do not have hostname chaining enabled.

options
  {
    chain_hostnames(no);
    create_dirs (yes);
    dir_perm(0755);
    use_dns (yes);
    dns_cache(yes);
    dns_cache_size(1000);
    dns_cache_expire(604800);
    keep_hostname(yes);
    log_fifo_size(10000);
    log_msg_size(8192);
    long_hostnames(on);
    perm(0644);
    stats(3600);
    sync(0);
#
# Change to 1?
#   time_reopen (1);
    time_reopen (10);
    use_dns(yes);
    use_fqdn(yes);
  };

.vp





________________________________

From: wiskbroom at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Fri, 18 Jan 2008 08:48:39 -0500
Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???



Thank you Evan, does hostname chaining also force multiple logging?  If now, does anyone know why I am logging my data to two locations instead of just one?

By the way, any good references to writing a good .conf file for this would be greatly appreciated.

Thanks again.

.vp

> Date: Thu, 17 Jan 2008 14:26:43 -0800
> From: erempel at uvic.ca
> To: syslog-ng at lists.balabit.hu
> Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
>
> You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most
> directly logging hosts (no other relay syslogs).
>
> Try using a $FULLHOST_FROM or $HOST
>
> Evan Rempel
>
> wiskbroom at hotmail.com wrote:
>> Hello;
>>
>> I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
>>
>> For instance, I have a host named linksys-1000, logs for this host get sent into:
>>
>> /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
>>
>> as well as
>>
>> /var/log/ABCcorp/linksys-1000/linksys-1000.log
>>
>> Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
>>
>>
>> Thanks all,
>>
>> .vp
>>
>>
>> Here is a sample of my config file:
>>
>> ###########
>> # Destinations #
>> ##########
>>
>> destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log"
>> perm(0644)); };
>> destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); };
>> destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); };
>> destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log"
>> perm(0644)); };
>> destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log"
>> perm(0644)); };
>> destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log"
>> perm(0644)); };
>>
>> destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
>> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
>>
>> #######
>> # Filters #
>> #######
>>
>> destination D_db_discard { file("/var/log/discard.log"); };
>>
>>
>> destination D_db_mysql {
>> pipe("/var/log/mysql.pipe"
>> template("INSERT INTO logs
>> (host, facility, priority, level, tag, datetime, program, msg)
>> VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
>> '$PROGRAM', '$MSG' );\n") template-escape(yes));
>>
>>
>> filter F_edge { host("edge*") or host("192.116.*"); };
>> filter F_router { host("gw*") or host("rtr") or host("router"); };
>> filter F_switch { host("sw*") or host("sw1") or host("sw2"); };
>> filter F_firewall { host("^fw*"); };
>> filter F_accesspoints { host("^linksys*"); };
>> filter F_InternetIP { host("192.116.19.*"); };
>>
>> #######
>> # Logs #
>> #######
>>
>> log { source(S_udp); filter(F_switch); destination(D_switch); };
>> log { source(S_udp); filter(F_router); destination(D_router); };
>> log { source(S_udp); filter(F_edge); destination(D_edge); };
>> log { source(S_udp); filter(F_firewall); destination(D_firewall); };
>> log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
>>
>>
>> log { source(S_udp); destination(D_udp);};
>> log { source(S_udp); destination(D_db_mysql); };
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> syslog-ng maillist - syslog-ng at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>

_________________________________________________________________
Windows Vista + Windows Live. Open up your digital life. Get Windows Live free.
http://get.live.com

More information about the syslog-ng mailing list