Well, opinions were quick and unanimous; the clue is in fact in the syslog.conf manpage: syslogd(1M) will log all mail system messages except debug messages and all notice (or higher) messages into a file I've read this dozens of times, but every time I missed the (or higher) part, probably because, as john65 at pobox.com pointed out, this is different from the way it works on Linux and *BSD, with which I have more extensive syslog experience. The problem was that my *.alert messages were being matched by every rule, hence the five copies, and *.info was only matched by the first rule so it only went out once. It all seems so obvious in retrospect... Thanks to Johan Hartzenberg, Martin Schmitt, john65, Casper Dik, and Ray Pasetes. No thanks at all to the 17(!) people who immediately responded to tell me they are out of the office today. My original question: > I'm having an interesting problem with a remote syslog setup. My > syslog.conf contains the following: > > *.info @loghost > *.err @loghost > *.notice @loghost > *.crit @loghost > *.emerg @loghost > *.alert @loghost > > I haven't removed any of the default entries, so everything is still > being logged locally, and this works as expected. (I've reproduced the > full syslog.conf below.) > > (Yes, those are tabs, and loghost is properly defined (only once) in > /etc/hosts.) If you're wondering why I've listed everything on separate > lines, it's because I ran into even stranger problems when I put them > all on one line. > > The funny thing is that some log priorities are sent mupltime times to > the loghost. For instance, tcpdump shows the following when I run logger > -p local2.alert "syslog test": > > [root@hostname ~]# /opt/sfw/sbin/tcpdump host loghost > tcpdump: listening on eri0 > 14:19:46.136303 hostname.45851 > loghost.syslog: udp 67 (DF) > 14:19:46.136492 hostname.45852 > loghost.syslog: udp 67 (DF) > 14:19:46.136634 hostname.45853 > loghost.syslog: udp 67 (DF) > 14:19:46.136705 hostname.45854 > loghost.syslog: udp 67 (DF) > 14:19:46.137496 hostname.45856 > loghost.syslog: udp 67 (DF) > > And indeed the message shows up five times on the loghost. > > Priority mail.info works fine, though. > > Does anyone have any clue as to what might be causing this? I mean, I > can imagine having inadvertently specified something twice, but five > times? > > I'm seeing this problem on systems that run both Solaris 8 and 2.6. (The > loghost runs syslog-ng on Solaris 8, but since the messages are > obviously leaving the client multiple times I don't think this is > relevant.) > > Thanks in advance, I'll summarise. > Walter > > The full syslog.conf: > > #ident "@(#)syslog.conf 1.5 99/02/03 SMI" /* SunOS 5.0 */ > # > # Copyright (c) 1991-1999 by Sun Microsystems, Inc. > # All rights reserved. > # > # syslog configuration file. > # > # This file is processed by m4 so be careful to quote (`') names > # that match m4 reserved words. Also, within ifdef's, arguments > # containing commas must be quoted. > # > *.err;kern.notice;auth.notice /dev/sysmsg > *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages > auth.notice;auth.crit;auth.info /var/log/authlog > > *.alert;kern.err;daemon.err operator > *.alert root > > *.emerg * > > *.info @loghost > *.err @loghost > *.notice @loghost > *.crit @loghost > *.emerg @loghost > *.alert @loghost > > # if a non-loghost machine chooses to have authentication messages # > sent to the loghost machine, un-comment out the following line: > #auth.notice ifdef(`LOGHOST', /var/log/authlog, > @loghost) > > #mail.debug ifdef(`LOGHOST', /var/log/syslog, > @loghost) > > # > # non-loghost machines will use the following lines to cause "user" # > log messages to be logged locally. > # > ifdef(`LOGHOST', , > user.err /dev/sysmsg > user.err /var/adm/messages > user.alert `root, operator' > user.emerg * > ) > mail.debug /var/log/syslog _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri May 9 09:35:37 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:10 EST