[syslog-ng] Some messages are missing
Sandor Geller
Sandor.Geller at morganstanley.com
Mon Mar 14 14:15:14 CET 2011
Hi,
On Mon, Mar 14, 2011 at 3:38 AM, Tinnis G <tinnisg at gmail.com> wrote:
> Hi,
>
> I am not getting all the messages in the message log files . If someone
> helps me , it will be really appreciated.
> We have remote servers , where we are keeping the log files too.
>
> I feel that the problem is in the filter. Please correct me. I want all
> the logs will be reported .
Could you be more specific like what kind of messages are missing? You
config looks like it is sending the same logs multiple times (auth
messages 3 times, authpriv 2 times) to remote hosts so it would be
surprising when something was still missing...
> ## Auth log
> destination loghost1 { tcp("log1.xx.org" port(514)); };
> destination loghost2 { tcp("log2.xx.org" port(514)); };
> destination loghost3 { tcp("log3.xx.org" port(514)); };
> filter f_auth { facility(auth); };
> log { source(src); filter(f_auth); destination(loghost1); };
> log { source(src); filter(f_auth); destination(loghost2); };
> log { source(src); filter(f_auth); destination(loghost3); };
> #
> ## Authpriv log
> destination loghost1 { tcp("log1.xx.org" port(514)); };
> destination loghost2 { tcp("log2.xx.org" port(514)); };
> destination loghost3 { tcp("log3.xx.org" port(514)); };
> filter f_authpriv { facility(auth, authpriv); };
> log { source(src); filter(f_authpriv); destination(loghost1); };
> log { source(src); filter(f_authpriv); destination(loghost2); };
> log { source(src); filter(f_authpriv); destination(loghost3); };
>
> ## Everything log
> destination loghost1 { tcp("log1.xx.org" port(514)); };
> destination loghost2 { tcp("log2.xx.org" port(514)); };
> destination loghost3 { tcp("log3.xx.org" port(514)); };
> filter f_everything { level(debug..emerg); };
> log { source(src); filter(f_everything); destination(loghost1); };
> log { source(src); filter(f_everything); destination(loghost2); };
> log { source(src); filter(f_everything); destination(loghost3); };
The above is suboptimal. If the loghosts are actually the same then
you're defining these 3 times, and also do a lot of filtering which
could get avoided. Please note that you're also redefining the
f_authpriv filter later. These definitions aren't local but global so
you should use unique names otherwise the last definition wins.
For example this below part
> destination loghost1 { tcp("log1.xx.org" port(514)); };
> destination loghost2 { tcp("log2.xx.org" port(514)); };
> destination loghost3 { tcp("log3.xx.org" port(514)); };
> filter f_authpriv { facility(auth, authpriv); };
> log { source(src); filter(f_authpriv); destination(loghost1); };
> log { source(src); filter(f_authpriv); destination(loghost2); };
> log { source(src); filter(f_authpriv); destination(loghost3); };
could get written as
destination loghosts {
tcp("log1.xx.org" port(514));
tcp("log2.xx.org" port(514));
tcp("log3.xx.org" port(514));
};
filter f_auth_authpriv {
facility(auth, authptiv);
};
log {
source(src);
filter(f_auth_authpriv);
destination(loghosts);
};
This way the filter gets evaluated only once per log message instead
of 3 times. You can have the same effect by adding multiple
destinations to a single log{} block:
log {
source(my_src);
filter(my_filter);
destination(my_first_destination);
destination(my_second_destination);
...
};
IMO the f_everything filter is redundant (doesn't exclude anything),
so you could just drop it.
I recommend reading the admin guide, your config could get optimized
further fairly easily. Configs created by tools like syslog2ng are in
need of hand-optimizing...
Regards,
Sandor
More information about the syslog-ng
mailing list