[rsyslog-notify] Forum Thread: syslog-server receives dupes using a template - (Mode 'edit_topic')

noreply at adiscon.com noreply at adiscon.com
Tue Sep 16 21:51:19 CEST 2014 

User: Habitual 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24934#p24934

Message: 
----------
I am having a hell of a time figuring out why my syslog-server is receiving
duplicate and triplicate messages in logs sent from remote hosts.

I have 3 hosts. 2 have rsyslogd 5.8.6 and the CentOS is 3.22 and they all
exhibit this same behavior, so this leads me to believe it is my
syslog-server's /etc/rsyslog.conf file.

On the CentOS host, I made one change to /etc/rsyslog.conf 
[code]*.* @syslog-server:514[/code] started the service and sent this via
logger: [code]logger “this is a test”[/code]

What I got was
[code]cat /kibana/vds64_centos55/root.log 
Sep 16 15:23:54 vds64_centos55 root: “this is a test”
Sep 16 15:23:54 vds64_centos55 root: “this is a test”
Sep 16 15:23:54 vds64_centos55 root: “this is a test[/code]

My syslog-server's /etc/rsyslog.conf is
[code]module(load="imuxsock") 
module(load="imklog")   
module(load="imudp") 

$template RemoteHost, "/kibana/%HOSTNAME%/%PROGRAMNAME%.log"

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$RuleSet local
kern.*                                                  /var/log/messages
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
$DefaultRuleset local

$RuleSet remote
kern.*                                                  ?RemoteHost
*.info;mail.none;authpriv.none;cron.none                ?RemoteHost
authpriv.*                                              ?RemoteHost
mail.*                                                  -?RemoteHost
cron.*                                                  ?RemoteHost
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          ?RemoteHost

*.* ?RemoteHost
authpriv.*   ?RemoteHost
*.info,mail.none,authpriv.none,cron.none   ?RemoteHost

$InputUDPServerBindRuleset remote
$UDPServerRun 514[/code]

I'm suffering from Analysis Paralysis on this issue and I would appreciate
anyone's help on this.

I ran a [code]rsyslogd -m5 -dn > logfile.txt[/code] and it is attached.

Thank you for your time.

More information about the rsyslog-notify mailing list