SUMMARY: Syslog messages sent to loghost more than once

From: Walter Heukels <walterhe_at_kpn.net>
Date: Fri May 09 2003 - 09:35:44 EDT
Well, opinions were quick and unanimous; the clue is in fact in the
syslog.conf manpage:

     syslogd(1M) will log all mail system messages  except  debug
     messages  and  all  notice  (or higher) messages into a file

I've read this dozens of times, but every time I missed the (or higher)
part, probably because, as john65 at pobox.com pointed out, this is
different from the way it works on Linux and *BSD, with which I have more
extensive syslog experience.

The problem was that my *.alert messages were being matched by every rule,
hence the five copies, and *.info was only matched by the first rule so it
only went out once. It all seems so obvious in retrospect...

Thanks to Johan Hartzenberg, Martin Schmitt, john65, Casper Dik, and Ray
Pasetes. No thanks at all to the 17(!) people who immediately responded to
tell me they are out of the office today.

My original question:

> I'm having an interesting problem with a remote syslog setup. My
> syslog.conf contains the following:
>
> *.info                                          @loghost
> *.err                                           @loghost
> *.notice                                        @loghost
> *.crit                                          @loghost
> *.emerg                                         @loghost
> *.alert                                         @loghost
>
> I haven't removed any of the default entries, so everything is still
> being logged locally, and this works as expected. (I've reproduced the
> full syslog.conf below.)
>
> (Yes, those are tabs, and loghost is properly defined (only once) in
> /etc/hosts.) If you're wondering why I've listed everything on separate
> lines, it's because I ran into even stranger problems when I put them
> all on one line.
>
> The funny thing is that some log priorities are sent mupltime times to
> the loghost. For instance, tcpdump shows the following when I run logger
> -p local2.alert "syslog test":
>
> [root@hostname ~]# /opt/sfw/sbin/tcpdump host loghost
> tcpdump: listening on eri0
> 14:19:46.136303 hostname.45851 > loghost.syslog:  udp 67 (DF)
> 14:19:46.136492 hostname.45852 > loghost.syslog:  udp 67 (DF)
> 14:19:46.136634 hostname.45853 > loghost.syslog:  udp 67 (DF)
> 14:19:46.136705 hostname.45854 > loghost.syslog:  udp 67 (DF)
> 14:19:46.137496 hostname.45856 > loghost.syslog:  udp 67 (DF)
>
> And indeed the message shows up five times on the loghost.
>
> Priority mail.info works fine, though.
>
> Does anyone have any clue as to what might be causing this? I mean, I
> can imagine having inadvertently specified something twice, but five
> times?
>
> I'm seeing this problem on systems that run both Solaris 8 and 2.6. (The
> loghost runs syslog-ng on Solaris 8, but since the messages are
> obviously leaving the client multiple times I don't think this is
> relevant.)
>
> Thanks in advance, I'll summarise.
> Walter
>
> The full syslog.conf:
>
> #ident  "@(#)syslog.conf        1.5     99/02/03 SMI"   /* SunOS 5.0 */
> #
> # Copyright (c) 1991-1999 by Sun Microsystems, Inc.
> # All rights reserved.
> #
> # syslog configuration file.
> #
> # This file is processed by m4 so be careful to quote (`') names
> # that match m4 reserved words.  Also, within ifdef's, arguments
> # containing commas must be quoted.
> #
> *.err;kern.notice;auth.notice                   /dev/sysmsg
> *.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
> auth.notice;auth.crit;auth.info                 /var/log/authlog
>
> *.alert;kern.err;daemon.err                     operator
> *.alert                                         root
>
> *.emerg                                         *
>
> *.info                                          @loghost
> *.err                                           @loghost
> *.notice                                        @loghost
> *.crit                                          @loghost
> *.emerg                                         @loghost
> *.alert                                         @loghost
>
> # if a non-loghost machine chooses to have authentication messages #
> sent to the loghost machine, un-comment out the following line:
> #auth.notice                    ifdef(`LOGHOST', /var/log/authlog,
> @loghost)
>
> #mail.debug                     ifdef(`LOGHOST', /var/log/syslog,
> @loghost)
>
> #
> # non-loghost machines will use the following lines to cause "user" #
> log messages to be logged locally.
> #
> ifdef(`LOGHOST', ,
> user.err                                        /dev/sysmsg
> user.err                                        /var/adm/messages
> user.alert                                      `root, operator'
> user.emerg                                      *
> )
> mail.debug                                      /var/log/syslog
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Fri May 9 09:35:37 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:10 EST