[syslog-ng] How to deal with duplicate log entries

Wed Jul 21 21:16:39 CEST 2010

Hi,

I don't know what solaris does, but have you tried a simple config like this?

log { source (s_streams);       filter (f_mail); filter (f_debug); destination (l_syslog);   };
log { source (s_streams);       filter (f_auth); filter (f_info); destination (l_authlog);  };    
log { source (s_streams); destination (l_messages); };

If there are specific things you don't want in l_messages you can filter them out (as opposed to filtering stuff in). The right approach depends on how many messages you want (or don't want) in l_messages.

Another trick I've seen to squash messages is using a destination that equates to '/dev/null' and the flags(final); setting to ditch messages that you don't want.

>>> Chuck <chuck.carson at gmail.com> 07/21/10 12:01 PM >>>
I have the following log statgements.. (Im basically trying to mirror what
solaris 10's default syslogl.conf does):

log { source (s_streams);       filter (f_emerg);
destination (l_messages); };
log { source (s_streams);       filter (f_err);
destination (l_messages); };
log { source (s_streams);       filter (f_kern); filter (f_debug);
destination (l_messages); };
log { source (s_streams);       filter (f_daemon); filter (f_notice);
destination (l_messages); };
log { source (s_streams);       filter (f_mail); filter (f_crit);
destination (l_messages); };
log { source (s_streams);       filter (f_mail); filter (f_debug);
destination (l_syslog);   };
log { source (s_streams);       filter (f_auth); filter (f_info);
destination (l_authlog);  };    # sshd logging

However when sending to daemon.err I get duplicate messages...

Should I change line 2 to this:
log { source (s_streams);       filter (f_err);   filter (not f_daemon)
                     destination (l_messages); };

Or should I hard-code every facility like so:
log { source (s_streams);       filter (f_err);   filter (f_daemon)
                     destination (l_messages); };
log { source (s_streams);       filter (f_err);   filter (f_mail)
                     destination (l_messages); };
log { source (s_streams);       filter (f_err);   filter (f_auth)
                     destination (l_messages); };
...
and so on?

Thx,.CC