[syslog-ng]Getting Logs in Triplicate
Wolfgang Braun
syslog-ng@lists.balabit.hu
Tue, 18 Jan 2005 17:57:02 +0100
On Tue, Jan 18, 2005 at 06:46:33AM -0800, Rhugga wrote:
Hi
> Getting 5 copies of each message. (was getting only 3 before, but now
> getting 5 copies of each log message)
I think the main culprit is your syslogd.conf on the Solaris machine:
> # To syslog host
> *.debug @syslog
> *.info @syslog
> *.notice @syslog
> *.warning @syslog
> *.err @syslog
> *.crit @syslog
> *.alert @syslog
> *.emerg @syslog
syslog.conf(5) on Linux says if you put priority P in a rule everything
with priority >= P will be logged. Check your syslog manual.
<man page>
The behavior of the original BSD syslogd is that all messages of the
specified priority and higher are logged according to the given
action.
</man page>
Confirmed this with OpenBSD syslog. If I have
*.* @loghost
*.debug @loghost
messages with priority >= debug are sent over the wire twice.
If this is the case you can collapse your above statements to
*.* @loghost
to get only one copy of each msg.
> Here is my entire config file:
> [...]
Just nitpicking but I think you could collapse most of your
syslog-ng.conf if you took out the 'host("xyz")' out of the filters.
Since they all go from the same source() to the same destination() with
$HOST expansion they don't really accomplish anything.
--
Wolfgang Braun, Dipl.-Inform. (FH)
<wolfgang.braun@gmx.de>
gpg-key: 1024D/4B32CE55
gpg-fingerprint: 7F0F DE82 94A5 B476 0E08 4972 AC95 31A3 4B32 CE55