[syslog-ng] Syslog-ng writes log entries to 2 different logs
Burton Simonds
burton at simondsfamily.com
Mon Sep 20 18:58:47 CEST 2010
I am using syslog-ng 3.1.2 and I am having a problem that I can not figure out.
Our network gear sends messages to syslog-ng, and then it filters them
based on device type, and name.
There is one firewall, that is matching both the firewalls filter and
the switches filter, and is subsequently writing to both locations.
in the example below, host 1.2.3.5 is logging to both the switches
log dir and the firewalls log dir even though it is only referenced in
the firewalls filter.
Other then the obvious possibilities, (Yes, I have confirmed that the
ip address is only referenced in one filter) does anyone have any
ideas on what I should look at?
Thanks,
Burton
our filters look like this (each host filter has several addresses in it):
filter f_firewalls { host(1.2.3.4)
or host(1.2.3.5);
};
filter f_switches {host(9.8.7.6)
or host(9.8.7.5);
};
destination d_firewalls {file(
"/path/to/logs/fw/$YEAR/MONTH/$HOST-$YEAR$MONTH$DAY"
create_dirs(yes)
owner(log_owner)
group(log_group)
dir_perm(0775)
perm(0664)
);
};
destination d_switches {file(
"/path/to/logs/sw/$YEAR/MONTH/$HOST-$YEAR$MONTH$DAY"
create_dirs(yes)
owner(log_owner)
group(log_group)
dir_perm(0775)
perm(0664)
);
};
log { source(s_network); filter(f_firewalls); destination(d_firewalls); };
log { source(s_network); filter(f_switches); destination(d_switches); };
Version info:
syslog-ng 3.1.2
Installer-Version: 3.1.2
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.1#master#8bf13c304b6ab5fc1a372b49d55c78370efe14ca
Compile-Date: Aug 3 2010 11:16:08
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-Sun-Door: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: on
Enable-Pcre: on
More information about the syslog-ng
mailing list