[syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???

Joe Fegan joe_fegan at hotmail.com
Fri Jan 18 18:48:57 CET 2008


No, "final" goes into the "log" statement. It means "if you decide to follow
this path then don't bother evaluating any others".

In principle you have the right idea though; put the "always" paths first
then the optional ones. It will probably perform slightly better if you put
the options most likely to be chosen higher in the list.

> I want to log to my database, as well as just *one* other flat file location

Try this ordering:

log { source(S_udp); destination(D_db_mysql); };
log { source(S_udp); filter(F_switch); destination(D_switch); flags(final); };
log { source(S_udp); filter(F_router); destination(D_router); flags(final); };
log { source(S_udp); filter(F_edge); destination(D_edge); flags(final); };
log { source(S_udp); filter(F_firewall); destination(D_firewall); flags(final); };
log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); flags(final); };
log { source(S_udp); destination(D_udp);};

D_udp will get only messages that didn't match one of the more specific filters.
I think this was your intention. If you want D_udp to get all messages then
move it up to the top with D_db_mysql.

________________________________

From: wiskbroom at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Fri, 18 Jan 2008 11:37:50 -0500
Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???




Ah!  So, if I want to log to my database, as well as just *one* other flat file location, then I should place my destination for DB first, followed by the others for flat files, each with it's own 'final' statement?

destination D_db_mysql {pipe("/var/log/mysql.pipe" template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));

destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); final };

destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); final };

Is this the correct location for final?

Thanks again,

.vp


> From: joe_fegan at hotmail.com
> To: syslog-ng at lists.balabit.hu
> Date: Fri, 18 Jan 2008 14:20:49 +0000
> Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
>
>
>> log { source(S_udp); filter(F_switch); destination(D_switch); };
>> log { source(S_udp); filter(F_router); destination(D_router); };
>> log { source(S_udp); filter(F_edge); destination(D_edge); };
>> log { source(S_udp); filter(F_firewall); destination(D_firewall); };
>> log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
>>
>> log { source(S_udp); destination(D_udp);};
>> log { source(S_udp); destination(D_db_mysql); };
> ...
>> does anyone know why I am logging my data to two locations instead of just one?
>
>
> Incoming messages are sent along *all* log paths that match. Every message that arrives from S_udp will be sent to D_udp and also to D_db_mysql. Some of those messages will also be sent along some of the more specific paths. If you don't want this to happen you can use the "final" keyword on the more specific paths.
>
>> I have a host named linksys-1000, logs for this host get sent into:
>>
>> /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
>>
>> as well as
>>
>> /var/log/ABCcorp/linksys-1000/linksys-1000.log
>
> Here's the reason:
>
>> destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log" perm(0644)); };
>> destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log" perm(0644)); };
>
>> log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
>> log { source(S_udp); destination(D_udp);};
>
> udp messages from linksys-1000 will be sent along both of these paths because they match both.
>
> Joe.
>
> ________________________________
>
> From: wiskbroom at hotmail.com
> To: syslog-ng at lists.balabit.hu
> Date: Fri, 18 Jan 2008 08:48:39 -0500
> Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
>
>
>
>
> Thank you Evan, does hostname chaining also force multiple logging? If now, does anyone know why I am logging my data to two locations instead of just one?
>
> By the way, any good references to writing a good .conf file for this would be greatly appreciated.
>
> Thanks again.
>
> .vp
>
>> Date: Thu, 17 Jan 2008 14:26:43 -0800
>> From: erempel at uvic.ca
>> To: syslog-ng at lists.balabit.hu
>> Subject: Re: [syslog-ng] Hosts Logging Into Multiple Destinations (files) Bad Filter???
>>
>> You have hostname chaining enabled. In this case, the $FULLHOST macro expands to $HOST/$HOST for most
>> directly logging hosts (no other relay syslogs).
>>
>> Try using a $FULLHOST_FROM or $HOST
>>
>> Evan Rempel
>>
>> wiskbroom at hotmail.com wrote:
>>> Hello;
>>>
>>> I thought that I had all of my hosts setup to log into /var/log/ABCcorp/$FULLHOST/$FULLHOST.log by default if not already defined by another filter, but I am seeing that they log to multiple destinations instead.
>>>
>>> For instance, I have a host named linksys-1000, logs for this host get sent into:
>>>
>>> /var/log/ABCcorp/accesspoints/linksys-1000/linksys-1000.log
>>>
>>> as well as
>>>
>>> /var/log/ABCcorp/linksys-1000/linksys-1000.log
>>>
>>> Also, I do not understand how /var/log/ABCcorp/$FULLHOST/$FULLHOST.log gets created and used in the first place, there is no filter setup like this.
>>>
>>>
>>> Thanks all,
>>>
>>> .vp
>>>
>>>
>>> Here is a sample of my config file:
>>>
>>> ###########
>>> # Destinations #
>>> ##########
>>>
>>> destination D_switch { file("/var/log/ABCcorp/switches/$FULLHOST.log"
>>> perm(0644)); };
>>> destination D_edge { file("/var/log/ABCcorp/edge_devices/$FULLHOST.log" perm(0644)); };
>>> destination D_firewall { file("/var/log/ABCcorp/firewalls/$FULLHOST.log" perm(0644)); };
>>> destination D_router { file("/var/log/ABCcorp/routers/$FULLHOST.log"
>>> perm(0644)); };
>>> destination D_accesspoints { file("/var/log/ABCcorp/accesspoints/$FULLHOST.log"
>>> perm(0644)); };
>>> destination D_udp { file("/var/log/ABCcorp/$FULLHOST.log"
>>> perm(0644)); };
>>>
>>> destination D_hosts { file("/var/log/ABCcorp/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
>>> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
>>>
>>> #######
>>> # Filters #
>>> #######
>>>
>>> destination D_db_discard { file("/var/log/discard.log"); };
>>>
>>>
>>> destination D_db_mysql {
>>> pipe("/var/log/mysql.pipe"
>>> template("INSERT INTO logs
>>> (host, facility, priority, level, tag, datetime, program, msg)
>>> VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
>>> '$PROGRAM', '$MSG' );\n") template-escape(yes));
>>>
>>>
>>> filter F_edge { host("edge*") or host("192.116.*"); };
>>> filter F_router { host("gw*") or host("rtr") or host("router"); };
>>> filter F_switch { host("sw*") or host("sw1") or host("sw2"); };
>>> filter F_firewall { host("^fw*"); };
>>> filter F_accesspoints { host("^linksys*"); };
>>> filter F_InternetIP { host("192.116.19.*"); };
>>>
>>> #######
>>> # Logs #
>>> #######
>>>
>>> log { source(S_udp); filter(F_switch); destination(D_switch); };
>>> log { source(S_udp); filter(F_router); destination(D_router); };
>>> log { source(S_udp); filter(F_edge); destination(D_edge); };
>>> log { source(S_udp); filter(F_firewall); destination(D_firewall); };
>>> log { source(S_udp); filter(F_accesspoints); destination(D_accesspoints); };
>>>
>>>
>>> log { source(S_udp); destination(D_udp);};
>>> log { source(S_udp); destination(D_db_mysql); };
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> syslog-ng maillist - syslog-ng at lists.balabit.hu
>>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>>
>>
>> _______________________________________________
>> syslog-ng maillist - syslog-ng at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>>
>
> _________________________________________________________________
> Get 30 Free Emoticons for your Windows Live Messenger
> http://www.livemessenger-emoticons.com/en-ie
> _______________________________________________
> syslog-ng maillist - syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>

_________________________________________________________________
Get 30 Free Emoticons for your Windows Live Messenger
http://www.livemessenger-emoticons.com/en-ie


More information about the syslog-ng mailing list