[rsyslog-notify] Forum Thread: syslog-server received dupes using a template - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue Sep 16 21:50:30 CEST 2014 

User: Habitual 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24934#p24934

Message: 
----------
I am having a hell of a time figuring out why my syslog-server is receiving
duplicate and triplicate messages in logs sent from remote hosts.

I have 3 hosts. 2 have rsyslogd 5.8.6 and the CentOS is 3.22 and they all
exhibit this same behavior, so this leads me to believe it is my
syslog-server's /etc/rsyslog.conf file.

On the CentOS host, I made one change to /etc/rsyslog.conf 
[code:2gtsmfxl]*.* @syslog-server:514[/code:2gtsmfxl] started the
service and sent this via logger: [code:2gtsmfxl]logger “this is a
test”[/code:2gtsmfxl]

What I got was
[code:2gtsmfxl]cat /kibana/vds64_centos55/root.log 
Sep 16 15:23:54 vds64_centos55 root: “this is a test”
Sep 16 15:23:54 vds64_centos55 root: “this is a test”
Sep 16 15:23:54 vds64_centos55 root: “this is a
test[/code:2gtsmfxl]

My syslog-server's /etc/rsyslog.conf is
[code:2gtsmfxl]module(load="imuxsock") 
module(load="imklog")   
module(load="imudp") 

$template RemoteHost, "/kibana/%HOSTNAME%/%PROGRAMNAME%.log"

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$RuleSet local
kern.*                                                 
/var/log/messages
*.info;mail.none;authpriv.none;cron.none               
/var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                 
-/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                
:omusrmsg:*
uucp,news.crit                                         
/var/log/spooler
local7.*                                               
/var/log/boot.log
$DefaultRuleset local

$RuleSet remote
kern.*                                                  ?RemoteHost
*.info;mail.none;authpriv.none;cron.none               
?RemoteHost
authpriv.*                                              ?RemoteHost
mail.*                                                  -?RemoteHost
cron.*                                                  ?RemoteHost
*.emerg                                                
:omusrmsg:*
uucp,news.crit                                          ?RemoteHost

*.* ?RemoteHost
authpriv.*   ?RemoteHost
*.info,mail.none,authpriv.none,cron.none   ?RemoteHost

$InputUDPServerBindRuleset remote
$UDPServerRun 514[/code:2gtsmfxl]

I'm suffering from Analysis Paralysis on this issue and I would appreciate
anyone's help on this.

I ran a [code:2gtsmfxl]rsyslogd -m5 -dn > logfile.txt[/code:2gtsmfxl]
and it is attached.

Thank you for your time.

More information about the rsyslog-notify mailing list