[Syslog-ng-maintainers] Bug#703639: "kill -HUP $(cat /var/run/syslog-ng.pid)" can cause duplicate logging issues
Evgeni Golov
evgeni at debian.org
Mon Nov 3 11:14:02 GMT 2014
Hi,
On Fri, Mar 22, 2013 at 03:59:11PM +0100, Gergely Nagy wrote:
> * Fixing the configuration and reloading gets things back in order, no
> matter how many times messages were duplicated before.
I have a heavily customized config, which does not throw any errors,
but triggers the issue on a wheezy box.
The config is for a central log-server, which gets syslog via UDP from
quite a few hosts and sorts these accordingly. Every day at logrotate
a SIGHUP is issued and my /var/log gets full. The ratio is about 1 real
message to 3000 (yes, three thousand!) duplicates :/
A real restart solves the issue.
I hope this is helful for you to track down the issue.
-------------- next part --------------
@version: 3.3
# First, set some global options.
options {
create_dirs(yes);
dir_perm(0755);
chain_hostnames(off);
flush_lines(0);
keep_hostname(yes);
};
#
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source localsrc { unix-dgram("/dev/log");
internal();
# Keep a log socket within the postfix chroot
unix-stream("/var/spool/postfix/dev/log");
};
#
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
source remotesrc { udp(); };
# After that set destinations.
# First some standard logfile
#
destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); };
destination syslogfile { file("/var/log/syslog" owner("root") group("adm") perm(0640)); };
destination cron { file("/var/log/cron.log" owner("root") group("adm") perm(0640)); };
destination daemon { file("/var/log/daemon.log" owner("root") group("adm") perm(0640)); };
destination kern { file("/var/log/kern.log" owner("root") group("adm") perm(0640)); };
destination lpr { file("/var/log/lpr.log" owner("root") group("adm") perm(0640)); };
destination mail { file("/var/log/mail.log" owner("root") group("adm") perm(0640)); };
destination user { file("/var/log/user.log" owner("root") group("adm") perm(0640)); };
destination uucp { file("/var/log/uucp.log" owner("root") group("adm") perm(0640)); };
# This files are the log come from the mail subsystem.
#
destination mailinfo { file("/var/log/mail.info" owner("root") group("adm") perm(0640)); };
destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm") perm(0640)); };
destination mailerr { file("/var/log/mail.err" owner("root") group("adm") perm(0640)); };
# Logging for INN news system
#
destination newscrit { file("/var/log/news/news.crit" owner("root") group("adm") perm(0640)); };
destination newserr { file("/var/log/news/news.err" owner("root") group("adm") perm(0640)); };
destination newsnotice { file("/var/log/news/news.notice" owner("root") group("adm") perm(0640)); };
# Some `catch-all' logfiles.
#
destination debug { file("/var/log/debug" owner("root") group("adm") perm(0640)); };
destination messages { file("/var/log/messages" owner("root") group("adm") perm(0640)); };
# root's console.
#
destination console { usertty("root"); };
# Virtual console.
#
destination console_all { file("/dev/tty8"); };
# The named pipe /dev/xconsole is for the nsole' utility. To use it,
# you must invoke nsole' with the -file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# destination xconsole { pipe("/dev/xconsole"); };
destination ppp { file("/var/log/ppp.log" owner("root") group("adm") perm(0640)); };
destination switches { file("/var/log/switches.log" owner("root") group("adm") perm(0640)); };
destination term { file("/var/log/term.log" owner("root") group("adm") perm(0640)); };
# normal single files
destination nt { file("/var/log/nt.log" owner("root") group("adm") perm(0640)); };
destination cust_apache { file("/var/log/cust/apache.log" owner("root") group("adm") perm(0640)); };
destination cust_postgres { file("/var/log/cust/postgres.log" owner("root") group("adm") perm(0640)); };
# by-host log file
destination d_by_host { file("/var/log/hosts/$FULLHOST/syslog-$YEAR$MONTH$DAY" owner("root") group("adm") perm(0640)); };
##
## Remote Destinations
destination d_logger01 { udp("192.0.2.111" port(514)); };
destination d_logger02 { udp("192.0.2.112" port(514)); };
# Here's come the filter options. With this rules, we can set which
# message go where.
filter f_switches { facility(local5); };
filter f_term { host("^term[0-9]"); };
filter f_esx { host("^esx[0-9]*"); };
filter f_nt { host("^(windows|fenster)"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog {
not facility(auth, authpriv, news, mail)
and not level(debug)
and not host("^(windows|esx[0-9]*|term[0-9])")
and not (host("^(api|web)[ab][0-9][0-9][0-9]") and program("apache2"))
and not (host("^dbsrv") and program("postgres"));
};
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail)
and not (
message("connect from localhost") or
message("lost connection after CONNECT from localhost") or
message("disconnect from localhost")
);
};
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail, local6, local7); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news, local6, local7); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_cnews { level(notice, err, crit) and facility(news); };
filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
filter f_not_cust { not facility(local1)
and not facility(local2)
and not facility(local3); };
filter f_cust_apache { host("^(api|web)[ab][0-9][0-9][0-9]") and program("apache2"); };
filter f_cust_postgres { host("^dbsrv") and program("postgres"); };
filter f_all { level(debug .. err); };
log { source(localsrc); source(remotesrc); filter(f_authpriv); destination(authlog); };
log { source(localsrc); source(remotesrc); filter(f_syslog); destination(syslogfile); };
#log { source(localsrc); source(remotesrc); filter(f_cron); destination(cron); };
log { source(localsrc); source(remotesrc); filter(f_daemon); destination(daemon); };
log { source(localsrc); source(remotesrc); filter(f_kern); destination(kern); };
log { source(localsrc); source(remotesrc); filter(f_lpr); destination(lpr); };
log { source(localsrc); source(remotesrc); filter(f_mail); destination(mail); };
log { source(localsrc); source(remotesrc); filter(f_user); destination(user); };
log { source(localsrc); source(remotesrc); filter(f_uucp); destination(uucp); };
log { source(localsrc); source(remotesrc); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(localsrc); source(remotesrc); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(localsrc); source(remotesrc); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(localsrc); source(remotesrc); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(localsrc); source(remotesrc); filter(f_news); filter(f_err); destination(newserr); };
log { source(localsrc); source(remotesrc); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(localsrc); source(remotesrc); filter(f_debug); filter(f_not_cust); destination(debug); };
log { source(localsrc); source(remotesrc); filter(f_messages); filter(f_not_cust); destination(messages); };
log { source(localsrc); source(remotesrc); filter(f_emergency); filter(f_not_cust); destination(console); };
log { source(localsrc); source(remotesrc); filter(f_switches); destination(switches); };
log { source(localsrc); source(remotesrc); filter(f_term); destination(term); };
log { source(localsrc); source(remotesrc); filter(f_esx); destination(d_by_host); };
log { source(localsrc); source(remotesrc); filter(f_nt); destination(nt); };
# by-host log file
log { source(localsrc); source(remotesrc); destination(d_by_host); };
log { source(localsrc); source(remotesrc); filter(f_cust_apache); destination(cust_apache); };
log { source(localsrc); source(remotesrc); filter(f_cust_postgres); destination(cust_postgres); };
log { source(localsrc); filter(f_all); destination(d_sam02); } ;
log { source(localsrc); filter(f_all); destination(d_sam01); } ;
# Graylog2
destination d_graylog2 { udp("192.0.2.91" port(514) spoof_source(yes)); };
# cust Logging destinations
destination d_cust_dev { file("/var/log/cust/dev.log" owner("root") group("users") perm(0640)); };
destination d_cust_test { file("/var/log/cust/test.log" owner("root") group("users") perm(0640)); };
destination d_cust_hotfix { file("/var/log/cust/hotfixtest.log" owner("root") group("users") perm(0640)); };
destination d_cust_prod { file("/var/log/cust/prod.log" owner("root") group("azprodlog") perm(0640)); };
# cust Postgresql destinations (different access groups)
destination d_cust_db_azprodlog { file("/var/log/cust/postgresql/$PROGRAM.log" owner("root") group("custprodlog") perm(0640)); };
destination d_cust_db_other { file("/var/log/cust/postgresql/$PROGRAM-other.log" owner("root") group("users") perm(0640)); };
destination d_cust_mail { file("/var/log/cust/mail.log" owner("root") group("users") perm(0640)); };
destination d_cust_all { file("/var/log/cust-adm/all.log" owner("root") group("adm") perm(0640)); };
# cust filter
filter f_cust_mail { host(mail01) or host(mail02); };
filter f_cust_hotfix { facility(local4) and not program("postgres"); };
filter f_cust_dev { facility(local3) and not program("postgres"); };
filter f_cust_test { facility(local2) and not program("postgres"); };
filter f_cust_prod { facility(local1) and not program("postgres"); };
filter f_cust_dbdev { facility(local3) and program("postgres"); };
filter f_cust_dbtest { facility(local2) and program("postgres"); };
filter f_cust_dbprod { facility(local1) and program("postgres"); };
# filter uninteresting and lengthy postgres log messages
filter f_cust_interesting { level(notice .. emerg) or not program("postgres"); };
# cust logs
log { source(remotesrc); filter(f_cust_dev); destination(d_cust_dev); };
log { source(remotesrc); filter(f_cust_test); destination(d_cust_test); };
log { source(remotesrc); filter(f_cust_hotfix); destination(d_cust_hotfix); };
log { source(remotesrc); filter(f_cust_prod); destination(d_cust_prod); destination(d_graylog2); };
log { source(remotesrc); filter(f_cust_dbtest); destination(d_cust_db_other); };
log { source(remotesrc); filter(f_cust_dbprod); destination(d_cust_db_azprodlog); };
log { source(remotesrc); filter(f_mail); filter(f_cust_mail); destination(d_cust_mail); destination(d_graylog2); };
log { source(remotesrc); filter(f_cust_interesting); destination(d_cust_all); };
More information about the Syslog-ng-maintainers
mailing list