[syslog-ng] "Error checking uniqueness"

Scheidler, Balázs balazs.scheidler at balabit.com
Fri Feb 24 06:30:06 UTC 2017 

Sure, just set a value in various log paths using rewrite { set("$foo $bar"
value("output")); };

And then in the template:

template("$output\n");

Or if the syslog header in the file is ok, just rewrite the MSG part and
then you won't need a template on the destination side at all.

Bazsi

On Feb 23, 2017 18:31, "Evan Rempel" <erempel at uvic.ca> wrote:

> Can you show a simplified example of how to use a single destination but
> define different templates that write to it? I have never been able to
> figure that out and it should make some of my configs a lot easier.
>
> Evan.
>
> On 02/23/2017 08:56 AM, Scheidler, Balázs wrote:
>
> This bugs may not have surfaced in your simple examples though. The reason
> we have a unique id requirement is that we store stuff like disk buffer
> file name associated to destinations. Probably, you would not use the disk
> buffer associated with a file destination, but internally you could.
>
> An alternative solution is to define a single /var/log/audit.log
> destination and then send messages from multiple log paths. For that to
> work you'd have to construct the template associated with the destination
> files a bit earlier in the processing chain.
>
> hope this helps,
> Bazsi
>
>
>
> --
> Bazsi
>
> On Thu, Feb 23, 2017 at 5:50 PM, Noémi Ványi <sitbackandwait at gmail.com>
> wrote:
>
>> Syslog-ng stores persistent options and data in syslog-ng.persist file.
>> It contains data about drivers specified in the configuration. The drivers
>> are identified by their "settings". In your case you have three file
>> drivers which contain the same log file: "/var/log/abc/audit_log". Thus,
>> the id of that driver is not unique. To provide a unique identifier for
>> these drivers you must specify a different string in persist-name.
>>
>> For example, you could add persist-name("abcaudit") to driver d_abcaudit,
>> persist-name("abcaudit_Prio") to driver d_abcaudit_Prio and
>> persist-name("abcaudit_IPtab") to d_abcaudit_IPtab. The key is that the
>> string in persist-name is unique.
>>
>> Previously, handling multiple drivers on the same thing was broken in the
>> usage of the persist file, if I recall correctly. This persist-name option
>> was introduced to fix the problem. So, in previous versions it was buggy.
>>
>> BR,
>> kvch
>>
>>
>> On 23 February 2017 at 16:43, David Hauck <davidh at netacquire.com> wrote:
>>
>>> Hi András,
>>>
>>> On Thu, 23 Feb 2017 at 00:22:00, syslog-ng wrote:
>>> > Hi David,
>>> >
>>> > The issue with persist_name() option was mentioned (and solved)
>>> > previously in: https://github.com/balabit/syslog-
>>> > ng/issues/1275
>>>
>>> Thx, I'd seen that entry prior to my email, however, it wasn't clear to
>>> me what exactly this doing. And I wasn't able to find anything in the
>>> documentation regarding the persist-name() option. Moreover, I wasn't sure
>>> if this would work with my 'destination' specification (as seen below).
>>>
>>> What exactly does "persit-name()" do? How exactly do I specifcy this for
>>> my destination specifications below? And what has changed between these two
>>> versions to now require this option?
>>>
>>> Thanks,
>>> -David
>>>
>>> > Br,
>>> > Andras
>>> >
>>> >
>>> > On Thu, Feb 23, 2017 at 1:28 AM, David Hauck <davidh at netacquire.com>
>>> > wrote:
>>> >
>>> >
>>> >       Hi,
>>> >
>>> >       I'm in the processing or updating a distribution's v3.6.3
>>> syslog-ng
>>> > configuration to v3.9.1 and am running into some issues getting
>>> > syslog-ng started. The first one was:
>>> >
>>> >       Starting syslog-ng: Error parsing config, Error compiling
>>> template
>>> > (Unknown template function "format-json") in
>>> > /usr/share/syslog-ng/include/scl/cim/template.conf at line 23, column
>>> > 32
>>> >
>>> >       I found a reference online to fixing this by removing
>>> > /usr/share/syslog-ng/include/scl/cim and this indeed got me past this
>>> > error (hopefully this is an otherwise benign modification).
>>> >
>>> >       I'm now stuck at the following error:
>>> >
>>> >       Starting syslog-ng: [2017-02-22T08:07:50.101422] Error checking
>>> the
>>> > uniqueness of the persist names, please override it with persist-name
>>> > option. Shutting down.;
>>> > persist_name='affile_dd_writers(/var/log/abc/audit_log)',
>>> > location='/etc/syslog-ng.conf:128:33'
>>> >
>>> >       Here's snippet from my configuration file that this error message
>>> > references:
>>> >
>>> >       ...
>>> >       destination d_abcaudit         { file("/var/log/abc/audit_log"
>>> > template(t_NAFormat));        };
>>> >       destination d_abcaudit_Prio    { file("/var/log/abc/audit_log"
>>> > template(t_NAFormat_Prio));   };
>>> >       --> destination d_abcaudit_IPtab   {
>>> > file("/var/log/abc/audit_log" template(t_abcFormat_IPtab));   };
>>> >       destination d_abcmessage_Prio  { file("/dev/null"); };
>>> >       ...
>>> >
>>> >       I wasn't able to find any documentation or guidance on the
>>> > "persist-name" option. Any ideas on how I should go about fixing this
>>> > error?
>>> >
>>> >       Thanks,
>>> >       -David
>>> >
>>> > ______________________________________________________________________
>>>
>>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170224/1ce0ebe3/attachment.html>

More information about the syslog-ng mailing list