[syslog-ng] log route problem

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Thu Jun 5 11:20:02 CEST 2008


Hi,

> I setup client with mostly default settings. To log to remote server
> I added (remote server listens on 514 as by default):
>
> log { destination(d_remote); flags(catchall); };

Are you sure that catchall is what you really need? Not fallback?

> this used to work pretty ok. So now I wanted to log xferlog too. Set
> the source:
>
> source s_ftp_xfer  { file("/var/log/proftpd/xferlog" follow_freq(2)
> flags(no-parse)); };
> destination d_remote_515 { tcp('x.x.x.x' port(515)); };
> log { source(s_ftp_xfer); destination(d_remote_515); };

A flags(final) might be useful here, otherwise the catchall above will
cause log duplication.

> Port 515 is intentional here for other reasons. On the server:
>
> source s_xferlog {tcp( ip(0.0.0.0) port(515)); };
> template t_ftp { template("$MSG\n"); template_escape(no); };
> destination df_ftp_xfer { ("/<PATH>/xferlog" template(t_ftp)); };
> filter f_proftpd { program('^proftpd$'); };
> log {
>          source(s_xferlog);
>          filter( f_proftpd );
>          destination(df_ftp_xfer);
>          flags(final);
> };

I think the filter here is redundant while you're using port 515 only
for getting proftpd logs.

> My problem is that everytime xferlog entry arrives to the server
> it's being added to xferlog as expected, but it also goes into syslog
> and console. I am stuck to find out why. There's no other rule that
> touches s_xferlog on the server. Any hints appreciated.

syslog duplication is OK as I mentioned above. But the console isn't OK.
This shouldn't happen. Nothing should go to the console by default, only
kernel messages printed by the kernel itself. Are you sure you don't have
any usertty() destinations in your config which could cause logging to
the console?

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.


More information about the syslog-ng mailing list