[syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
wiskbroom at hotmail.com
wiskbroom at hotmail.com
Fri Jan 18 17:37:50 CET 2008
Ah! So, if I want to log to my database, as well as just *one* other flat file location, then I should place my destination for DB first, followed by the others for flat files, each with it's own 'final' statement?
destination D_db_mysql {pipe("/var/log/mysql.pipe" template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); final };
destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); final };
Is this the correct location for final?
Thanks again,
.vp
> From: joe_fegan at hotmail.com
> To: syslog-ng at lists.balabit.hu
> Date: Fri, 18 Jan 2008 14:20:49 +0000
> Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
>
>
> > log { source(S_udp); filter(F_switch); destination(D_switch); };
> > log { source(S_udp); filter(F_router); destination(D_router); };
> > log { source(S_udp); filter(F_edge); destination(D_edge); };
> > log { source(S_udp); filter(F_firewall); destination(D_firewall); };
> > log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
> >
> > log { source(S_udp); destination(D_udp);};
> > log { source(S_udp); destination(D_db_mysql); };
> ...
> > does anyone know why I am logging my data to two locations instead of just one?
>
>
> Incoming messages are sent along *all* log paths that match. Every message that arrives from S_udp will be sent to D_udp and also to D_db_mysql. Some of those messages will also be sent along some of the more specific paths. If you don't want this to happen you can use the "final" keyword on the more specific paths.
>
> > I have a host named linksys-1000, logs for this host get sent into:
> >
> > /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
> >
> > as well as
> >
> > /var/log/ABCcorp/linksys-1000/linksys-1000.log
>
> Here's the reason:
>
> > destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); };
> > destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
>
> > log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
> > log { source(S_udp); destination(D_udp);};
>
> udp messages from linksys-1000 will be sent along both of these paths because they match both.
>
> Joe.
>
> ________________________________
>
> From: wiskbroom at hotmail.com
> To: syslog-ng at lists.balabit.hu
> Date: Fri, 18 Jan 2008 08:48:39 -0500
> Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
>
>
>
>
> Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one?
>
> By the way, any good references to writing a good .conf file for this would be greatly appreciated.
>
> Thanks again.
>
> .vp
>
> > Date: Thu, 17 Jan 2008 14:26:43 -0800
> > From: erempel at uvic.ca
> > To: syslog-ng at lists.balabit.hu
> > Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
> >
> > You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most
> > directly logging hosts (no other relay syslogs).
> >
> > Try using a $FULLHOST_FROM or $HOST
> >
> > Evan Rempel
> >
> > wiskbroom at hotmail.com wrote:
> >> Hello;
> >>
> >> I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
> >>
> >> For instance, I have a host named linksys-1000, logs for this host get sent into:
> >>
> >> /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
> >>
> >> as well as
> >>
> >> /var/log/ABCcorp/linksys-1000/linksys-1000.log
> >>
> >> Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
> >>
> >>
> >> Thanks all,
> >>
> >> .vp
> >>
> >>
> >> Here is a sample of my config file:
> >>
> >> ###########
> >> # Destinations #
> >> ##########
> >>
> >> destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log"
> >> perm(0644)); };
> >> destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); };
> >> destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); };
> >> destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log"
> >> perm(0644)); };
> >> destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log"
> >> perm(0644)); };
> >> destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log"
> >> perm(0644)); };
> >>
> >> destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
> >> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
> >>
> >> #######
> >> # Filters #
> >> #######
> >>
> >> destination D_db_discard { file("/var/log/discard.log"); };
> >>
> >>
> >> destination D_db_mysql {
> >> pipe("/var/log/mysql.pipe"
> >> template("INSERT INTO logs
> >> (host, facility, priority, level, tag, datetime, program, msg)
> >> VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
> >> '$PROGRAM', '$MSG' );\n") template-escape(yes));
> >>
> >>
> >> filter F_edge { host("edge*") or host("192.116.*"); };
> >> filter F_router { host("gw*") or host("rtr") or host("router"); };
> >> filter F_switch { host("sw*") or host("sw1") or host("sw2"); };
> >> filter F_firewall { host("^fw*"); };
> >> filter F_accesspoints { host("^linksys*"); };
> >> filter F_InternetIP { host("192.116.19.*"); };
> >>
> >> #######
> >> # Logs #
> >> #######
> >>
> >> log { source(S_udp); filter(F_switch); destination(D_switch); };
> >> log { source(S_udp); filter(F_router); destination(D_router); };
> >> log { source(S_udp); filter(F_edge); destination(D_edge); };
> >> log { source(S_udp); filter(F_firewall); destination(D_firewall); };
> >> log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
> >>
> >>
> >> log { source(S_udp); destination(D_udp);};
> >> log { source(S_udp); destination(D_db_mysql); };
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> syslog-ng maillist - syslog-ng at lists.balabit.hu
> >> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >>
> >
> > _______________________________________________
> > syslog-ng maillist - syslog-ng at lists.balabit.hu
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> >
>
> _________________________________________________________________
> Get 30 Free Emoticons for your Windows Live Messenger
> http://www.livemessenger-emoticons.com/en-ie
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20080118/51610c06/attachment.htm
More information about the syslog-ng
mailing list